OIM Manual Provisioning

Similar Messages

• OIM-OID Provisioning - OID Group PrePopulate Approach :

  Hi,
  I am working on OID Connector 9.0.1.14 with OIM 11.1.1.5.
  I have reconciled all the Roles and Groups from OID to OIM and can successfully provision users to the OID along with membership to these specific Roles and Groups.
  I want to prepopulate the OID Group based on certain attribute from the OIM User form. My Approach so far is :
  1) Created an Entity Adapter with a variable : say Org and GroupName.
  2) Set the Logic as if Org = XYZ (+XYZ does exist on OIM+) set GroupName as = "OID Group 1" else set GroupName as = "OID Group 2"
  3) Attached this adapter to the "OID User Group" form on the "Data Object Manager" at the pre-insert stage.
  4) Mapped the Adapter variable as :
  a) Org Maps to "Organization Definition" with the qualifier "Organization Name"
  b) GroupName maps to the "Entity Field" with the qualifier "UD_OID_GRP_GROUP_NAME"
  However nothing seems to happen when I create/modify a user with Orgization Name as XYZ and manually Provision the OID Resource. I can see the form but nothing is populated in the Group Field. Upon completing the request, I get the user provisioned to OID but without any Group information..
  Is my approach right ? Am I missing something ?

  Here is what I have done for a client. My requirement was for a given department, a user must have a list of groups provisioned to them. So here is what i've done:
  1. Create a lookup that has Code Key = Department, Decode = CN of the groups in a delimited format.
  2. Create a provisioning task that will look at the department code from the user form, reference the lookup and find the decode values. Split them based on a delimiter. Then using each value, lookup the code key value from the real lookup that contains the full distinguished name of the group in the OID Group lookup. I even appened the IT Resource Key and ~ so that my search would be Decode or Code = "IT Resource Name~CN=<CN VALUE>%". This would return only the single group code key value. And then i add it to the child table. Repeat this for all the values in the delimited field.
  3. Create a provisioning task that removes the values from the child table based on the delimited value. You'll need to search through the existing child table values.
  Once you have the 2 tasks, you'll want to add a value to the your Lookup.USR_PROCESS_TRIGGERS that is your group determining field. Create your task name in this lookup. On your provisioning workflow, for the Adding of the groups task, make this unconditional, and have a preceding task of the Create User. Give it the name from your Lookup.USR_PROCESS_TRIGGERS and append " - Add Groups" to the task name. Create another task called the same, but append " - Delete Groups" to the task name. On the Add Groups task, make the preceding task the Delete groups. When you map your inputs to the adapters, on the delete, select the old value check box from the User Form so that you get the old value. Now, when the value changes on the user form, it will first remove the old groups, then add the new ones. All this will be done using the child table APIs, so that the existing Insert and Delete task triggers for your child table will run.
  -Kevin

• Manual Provisioning task throwing error

  In OIM 10g we have a manual provisioning task which is assigned to an user. when he tries to click Set Response he is getting 'UNKNOWN' also as one of the options with the other two options 'Complete' and 'Cancel'. Also when trying to Complete the provisioning process it throws an error as
  DOBJ.SCHTM_SCH_DATA_CHANGED
  Schedule data cannot be changed once it has been set.
  Please let me know what might be the cause. Thanks
  Regards,
  Durgaprasad

  Hi Kevin,
  Thanks for your reply. I dont have a process task adapter attached to this task. I have a task assignment adapter only. Also i dont have any clue why 'UNKNOWN' option is getting displayed in the set response page.
  Regards,
  Durgaprasad

• No email notification from manual provisioning task - 11gR2

  I have a disconnected application instance and I am using the standard DisconnectedProvisioning flow for provisioning - modified to assign the provisioning task to a group, using a rule which determines the group via the app. instance name.
  The flow itself works as expected and the Manual Task in the flow is assigned to the correct group - the task shows up in the Inbox of the member of the group in the Self Service console
  I would like to send an email to the user when the task is assigned and I have therefore configured SMTP Notification according to this http://allidm.com/blog/2012/11/configuring-smtp-notifications-in-oracle-identity-manager-11gr2/
  I have confirmed that the SMTP server works as expected - I am able to send and receive message using this server.
  On the Notification Tab of my Manual Task I have configured:
  General:
  Status: Assign / Recipient: Assignees
  Status: Complete / Recipient: Initiator
  Status: Error / Recipient: Owner
  Advanced:
  Remind Once: 0 days, 0 hours, 1 minute "After Assignment"
  Encoding: UTF-8
  Make Notifications Secure: False
  Show worklist/workspace URL in notification: True
  Make notification actionable: True
  Send Task attachment: False
  Group Notification Configuration: "Send individual emails" 
  I have redeployed my DisconnectedProvisioning flow to my SOA server a couple of times - remembering not to change the version number and to force overwriting the existing flow.
  My SOA and IDM servers have been restarted as well.
  When requesting the disconnected application instance using the catalog, the manual provisioning task is assigned to the correct user - however - he does not receive any email nor do I send any errors or stack traces from my SOA or IDM servers.
  There must be some check box somewhere that I forgot to tick!
  Does anybody have an idea - did I forget to configure something?
  Kind regards,
  - Tom

  Ok - so I did in fact forget to tick a check box!
  After setting up UMS using this: http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/notification.htm#CACCEDGF and enabling notifications via:
  Enterprise Manager, SOA, soa-infra, SOA Infrastructure drop-down, SOA Administration, Workflow Config:
  Notification Mode: Email
  After restarting my SOA and OIM managed servers - I now receive emails as expected.
  Case closed :-)
  Kind regards,
  - Tom

• OIM 11gR2 provisioning with GTC

  Hello,
  We are curently implementing Oracle Identity Manager 11gR2, and we are having difficulties with the implementation of the provisioning from OIM to the Target Systems exposed through a webservice on Oracle Service Bus.
  We are using the Generic Technology Connectors as a basis of working. And initially we have created a GTC with only reconciliation Transport & Format Providers:
  Connector Name TargetSystem1
  Transport Provider (Provisioning):
  Format Provider (Provisioning):
  Transport Provider (Reconciliation): Database Application Tables Reconciliation
  Format Provider (Reconciliation): Database Application Tables Reconciliation
  We have configured the Process Definition of TargetSystem1 with all the operations (Create User, Update User, Enable User, Disable User, Delete User, etc.) connected with custom Java implementations, that are working just fine is we trigger them form Eclipse. The “Create User” task has only “Required for Completion”, “Allow Cancelation while Pending” and “Allow multiple instances” check boxes set to CHECKED; it also has all the fields in Integration TAB mapped, Responses mapped, but when we create a User in OIM and provision it with an account on the TargetSystem1_GTC Application Instance, the provisioning process in not accessing the “Create User” task to make the provisioning in the target system. The user that we are trying to provision has the account Status set to “Provisioning” and the Account Type set to “Unknown”. We have also checked the logs of OSB, but there is no activity there, because no request from OIM is being received.
  After we investigated more closely the Oracle documentation for the Generic Technology Connectors we discovered that if we do not select Transport & Format Providers during the GTC creation, then the corresponding steps are not performed and they are not initialized, thus the provisioning cannot be done. The documentation also states that if we need to create custom providers in order to make the Provisioning with the GTC, but unfortunately we have no knowledge or any examples on how to do such custom providers for the provisioning of Users from OIM on the target systems via the Oracle Service Bus.
  We have installed a second GTC with both provisioning and reconciliation Transport & Format Providers:
  Connector Name: TargetSystem2
  Transport Provider (Provisioning): Web Services
  Format Provider (Provisioning): SPML
  Transport Provider (Reconciliation): Database Application Tables Reconciliation
  Format Provider (Reconciliation): Database Application Tables Reconciliation
  The Web Services and SPML options were the only options that we could select from the out of the box connectors that are installed, and we did not find any other connectors in the download section of Oracle for this product, that can accommodate such communication. So, we configured the provisioning accordingly, and modified the “Create User” task from the TargetSystem2_GTC Process Definition, in order to use our custom adaptor instead of the adpTargetSystem2_GTC adapter that was preset when the TargetSystem2_GTC is created. But this does not help us, because the provisioning is not done, and the “Create User” task is not used. The user that we are trying to provision has the account Status set to “Provisioning” and the Account Type set to “Unknown”.
  Next we tried to see if the GTC can be used to communicate directly with the OSB, using the Web Services Transport Provider and SPML Format Provider, and we did not make any modifications to the after the normal installation of the TargetSystem2 GTC. In this case the we can see that the OSB is being accessed by OIM, but unfortunately this case does not help us also, because the operations implemented on the OSB webservice have a different structure then the one SPML expects as default:
  Caused by: com.thortech.xl.gc.exception.XSDValidationException: The SOAP response does not contain a valid SPML response type. Should be one of these -->addResponse modifyResponse deleteResponse resumeResponse suspendResponse setPasswordResponse
  Do you have any suggestion on how to make the provisioning process work?
  Edited by: user1717356 on 22.10.2012 03:22

  Hi,
  I think you need to put this check only for few attributes?
  If Yes, then lets suppose you want to have a check for Country Field in Database which once modified by target Admin, then OIM should know.
  1) Create one dummy field CountryDummy (Hidden) in OIM TargetProcess form and dont map it to any target attributes. This dummy field will only store values populated from OIM user profile to -> DB Connector Process Form.
  2) On success of "Reconcilation Update Recievced", Put a custom process task which does a comparison with "CountryDummy" & "Country" and inform Admin using email notifications that this mismatch has been found.
  HTH,
  ~J

• Manual Provisioning implementation in 11gR2

  I am new to 11gR2. I need to migrate an app from 10g to 11gR2.
  It has a RO and an object form and process form, an approval workflow and once approval is done it should be manually provisioned by a user in a particular group based on the result from a task assignment adapter. How to translate the same to work in R2. Please let me know the steps in detail which would be of great help to me . Thanks in advance.

  find the below link for multilevel workflow approach
  Multi Level Approval Workflow
  create workflow in oim11gr2(Oracle DOC)
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/request.htm#CIHFBEFB
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/request.htm#BABFFJID
  once you done with above create an Approaval policy for both Request and Operational level .

• OIM approval / provisioning workflows

  Hi All
  I have a query about OIM approval / provisioning workflows.
  Application X (e.g. Active Directory) has an OOTB connector which can provision the user and manage his role in the application. The user can raise request for role change via OIM Admin console.
  My query - Can I configure access policy/user group for creation of a base user identity in the application X. This will create user identities for all users in application X without any roles. Later user should be able to request for roles and upon approval, his role should be updated in application X.
  Can this scenario can be implemented with any OOTB connector with provisioning and role approval workflows in place. Do you see any complexity in this. Please provide your comments.

  The base provisioning van be done using access policies.
  If you want request based role management in pre OIM 11g you would have to do it over custom ROs. There are a couple of ways to do this.
  The easiest way to do is to combine the approaches in these two postings and create a custom RO that moves the user into an OIM group that has an attached access policy that manipulates the child table on the base target system RO.
  http://iamreflections.blogspot.com/2010/09/oim-howto-one-resource-object-per.html
  http://iamreflections.blogspot.com/2010/09/oim-howto-target-system-group.html
  Please take a look and see if this is understandable. I probably should write another entry that addresses this specific use case.
  /Martin

• OID manual provisioning from OIM

  Hi,
  while provisioning users in OIm and giving them certain entitlements, when I provision a user with OID It resource,it gets added to OID automatically. I want to do this provisioning manually....that is approval based
  The goal is to give required access to a new User in the system by following standard approval process and manual creation of the user in respective target systems
  how this can be achieved
  following reports need to be generated:
  •     User creation was approved/rejected by Manager.
  •     User creation was approved/rejected by Manager.
  •     User creation was approved/rejected by Manager.
  Edited by: Chhavi Saluja on Jan 31, 2010 10:17 PM

  The user in your it resource, do you have it lowercase? Also, does the user exist in your target?
  -Kevin

• OIM - Users provisioned with different resource form versions

  Hi !!
  we are having some problems with different resource form versions and maybe you can help us.
  We have two different versions of one resource form. One of them has 2 extra fields.
  Some users were provisioned with that resource with the previous form version (no extra fields) and some with the new one (extra fields).
  The problem is that now, if we try to edit that resource for the users with the old version, we are not able to edit or even see the information for those extra fields.
  It seems that they have been associated with the old version and we need to change it in order to make them use the new one. Is that possible? How can we fix that?
  Thanks in advance.

  Alternatively you can manually update the form version in the OIM database.
  If it is a small number of forms it might be easier to do that then to bother with fvc.
  Best regards
  /Martin

• OIM Failed provisioning

  Hi All
  I have integrated OIM with OID as target resource. Suppose OID goes down for some time. I want to know whether OIM will automatically retry the failed tasks in case the target OID was down for some time or the OIM admin will have to retry the task manually again.
  How do we keep a track of how many tasks have failed since the OID was down. Has someone faced such case in past.
  Thanks

  How do we keep a track of how many tasks have failed since the OID was down.
  Another possible approach is, create a group say OID Support Officer and give him menu item To-Do List Open Tasks menu item to see Open Provisioning Tasks in Admin Console. In OID process definition go to Assignment tab of Create User task then select target type as Group and select this group under Group lookup.
  Now login as user who belongs to the group OID Support Officer and you can see number of rejected tasks under Open Provisioning Tasks.

• Invalid Naming Error while creating user in OIM and provisioning to OID

  Hi,
  I am trying to create users in OIM. As per the access policy, the users will directly provisioned to OID. When I am creating users in OIM, its showing provisioning for OID user resource. The create user task is rejected with error as
  "Response: Invalid Naming Error
  Response Description: Naming exception encountered"
  If anybody is getting these error, then please suggest a solution.
  Thanks.

  logs ???
  Are you provisioning any custom attributes of different object classes . Make sure you include those object classes as well , go to connector documentation for adding the object classes .., may be some configuration look up ....i guess
  Thanks
  Suren
  Edited by: Suren on Jul 6, 2010 7:41 PM

• ADD new fields in OIM to provisioned on OID

  Hello,
  I need a confirmation about these steps to add a new field to provisioned to OID.
  new field called slClient
  did i need to do all these steps ?
  1- Resource Object
  OID User --> Object Reconciliation (tab), add Field: sl Client --> String
  Xellerate User --> Object Reconciliation (tab) , add Field: sl Client --> String
  2- Form Designer
  UD_OID_USR --> add : UD_OID_USR_ CLIENT --> sl Client
  3- Lookup definition
  AttrName.Recon.Map.OID --> Add: sl Client --> slClient ( this is what field name in OID database)
  AttrName.Prov.Map.OID --> Add: sl Client --> slClient ( this is what field name in OID database)
  4- Process Definition
  OID User --> Reconciliation Field Mappings (tab), Add field map: sl Client --> UD_OID_USR_ CLIENT( this is what in Form Designer)
  Xellerate User --> Reconciliation Field Mappings (tab), Add field map: sl Client --> Letter Client (what is defined in User Defined Field Definition)
  5- User Defined Field Definition
  Users --> Add Letter Client --> USR_UDF_LTR_CLIENT ( this is what in OIM database)
  I need to validate also the relationship, between all the components.
  thanks,
  TG

  I believe for trusted reconciliation with OID, the OOTB connector does not allow for additional attributes to be populated no the Xellerate User object. I beleive it only retrieves a set list of attributes that are requried for creating an OIM user and also adds in the additional values for Xellerate Role, and Xellerate Type, and Organization.
  I would suggest you create a new Resource Object, marked as trusted, called OID Trusted. Duplicate your recon lookup to have only values needed for your trusted recon. Create an event handler/entity adapter on your Users data object which will populate the Xellerate Role, Xellerate Type, and Organization to populate these values. Then create a provisioning process definition with no additional tasks. Map all your reconciliation fields to your Xellerate User object. Then create a duplicate scheduled task of the OOTB OID recon and set your Resource Object to OID Trusted. Also, don't forget to create a recon rule and set your recon action rules. Run the recon and there you go.
  -Kevin

• OIM-OID provisionning issue with external plug in with AD

  Hi OIM/OID Guru's,
  We are using OIM with OID connector and having external authentication plug-in feature of OID with AD. Here we are using OID for user profile storage and doing password validation by using external plugin through AD however we have been
  facing one issue which is mentioned below :-
  Whenever we are creating any user in through OIM and found that user is provisioned to the OID target source but populating wrong value of attribute orclSourceObjectDN in OID process form:-
  orclSourceObjectDN = cn=OIDTEST3,CN=Users,DC=oracle-test,DC=oracle,DC=com
  correct value should be orclSourceObjectDN =cn=OIDTEST3,CN=Users,DC=oracle,DC=com
  we don't have any container in OID with DC=oracle-test however not sure how the process form is picking up this value?
  However could you please put more light why it is appending wrong DN in OIM process form? Where should i check for this from OIM side?

  Hi Dear,
  thanks for your reply and we are using OIM 9.x version. Checked Root DN value as you suggested (see below snap shot for oid resource definition):-
  Admin Id     cn=username
  Admin Password     *******
  Group Reconciliation Time Stamp     
  Last Target Delete Recon TimeStamp     
  Last Target Recon TimeStamp     
  Last Trusted Delete Recon TimeStamp     
  Last Trusted Recon TimeStamp     
  Port     6060
  Prov Attribute Lookup Code     AttrName.Prov.Map.OID
  Prov Group Attribute Lookup Code     AttrName.Group.Prov.Map.OID
  Prov Role Attribute Lookup Code     AttrName.Role.Prov.Map.OID
  Role Reconciliation Time Stamp     
  Root DN     DC=oracle,DC=com
  SSL     false
  Server Address     My server name
  Use XL Org Structure     false

• OIM 10g provision takes long and gives DOBJ UPDATE FAILED

  Hi.
  We Recently added a resource but it´s provisioning process takes about 1 minute to complete.
  When a user makes a request for lets say 10 users, when the request is approved, the web page tries to wait until all the 10 user provisioning process is finished but that means 10 minutes waiting and OIM gives DOBJ.UPDATE_FAILED. I assume this is a timeout.
  How can I configure OIM (10G) to do all the provisioning process in background so there will not be needed to wait a lot of time watching a stall page when the (last approval step) approve button is pressed ?
  Thanks.

  It´s a Webservice which makes a LOT of transactions and takes a lot doing them, we cannot change its behavior because it was built by someone else.
  Offline Provisioning Explains a lot!
  Even fixes a Rollback problem we were having caused by conectivity problems with some target Systems.
  Thank YOU!

• OIM - Manual Task Execution

  Hi All,
  let me show you my problem. I've define a provisioning process for a generic resource, in this process I added a task assigned to a specific group.
  When I test the provisioning process, the system assigns correctly the task but, when I try to set a response to the task in order to complete it OIM raises an error:
  oracle.iam.request.exception.NoRequestPermissionException: IAM-2050075:User with the key 17 does not have permissions on the request 521
  If I set my group as iheriting by REQUEST ADMINISTRATOR works but my group must NOT view the administration console of the OIM or all the requests.
  How can I resolve the problem? There is some authorization that i can do to my group to do this?
  ps. I've just tried to give to my group the same authorizations of REQUEST ADMINISTRATOR role but it doesn't works.
  Please help me!
  Thanks

  Now my group is administrator in all of the involved objects:
  - Authorizer on Resource Object
  - Administrator write/delete on Resource Object
  - Administrator write/delete on the UD form
  - Administrator write/delete on the Process Definition
  but still it doesn't works, I receive always oracle.iam.request.exception.NoRequestPermissionException.
  There is a way to give directly the right request persmission?