[OIM] Proxy User with groups

Dear people,
I have a scenario where there is a resource with an approval workflow, with 2 steps: in the first the Manager of the requester is the one who must approve. In the second step, a group is assigned as the one who has to make the approve.
I give a proxy to the Manager and another proxy to one of the group members.
When the workflow reaches the Manager approval step, it is automatically assigned to the proxy (what I expected).
The problem arises when the workflow reaches the group approval step, the assignment is still made to the user that is member of the group, not to his proxy user. Is this an OIM limitation? Some workaround?
Thanks!

Hi,
when we assign the task to a group then if the proxy user is the part of that particular group then he has that task automatically why to duplicate the task and if proxy user is not the memeber of the group then he is not authorize to have that task because he is not the member of that group. As user set him as proxy user for him not for group.
I hope this answer your query....
Regards
Alabhya Goel

Similar Messages

  • Proxy user with limited privileges

    Hi Expert,
    Wanted to know if there is any way to restrict proxy user with certain privileges.
    For an example, If i'm logging in as fnadvi[scott]/password....in this certain circumstances, fnadvi would override all the privileges from SCOTT user.
    And can do insert/update/delete/select whatever under schema SCOTT.
    <quote>
    BANNER
    Oracle Database 11g Release 11.2.0.2.0 - 64bit Production
    PL/SQL Release 11.2.0.2.0 - Production
    CORE 11.2.0.2.0 Production
    TNS for Linux: Version 11.2.0.2.0 - Production
    NLSRTL Version 11.2.0.2.0 - Production
    </quote>
    Is there any way, that I can setup for user:fnadvi to select certain tables, update certain tables and so on?
    The default proxy user can do anything as SCOTT can do.
    Thanks

    Nadvi wrote:
    Hi Expert,
    Wanted to know if there is any way to restrict proxy user with certain privileges.
    For an example, If i'm logging in as fnadvi[scott]/password....in this certain circumstances, fnadvi would override all the privileges from SCOTT user.
    And can do insert/update/delete/select whatever under schema SCOTT.
    <quote>
    BANNER
    Oracle Database 11g Release 11.2.0.2.0 - 64bit Production
    PL/SQL Release 11.2.0.2.0 - Production
    CORE 11.2.0.2.0 Production
    TNS for Linux: Version 11.2.0.2.0 - Production
    NLSRTL Version 11.2.0.2.0 - Production
    </quote>
    Is there any way, that I can setup for user:fnadvi to select certain tables, update certain tables and so on?
    The default proxy user can do anything as SCOTT can do.
    ThanksThe short answer is NO.
    With Oracle everything is prohibited, except that which is explicitly GRANTED.

  • How can OIM provision users with same Display Name in AD?

    I can create users with same First Name, Middle Name and Last Name (same Display Name) in OIM if they have different UserId.
    But I can not provision two users with same Display Name to one Organization Unit in AD, the resource provisioning shows
    Status: Rejected
    Response: AD user already exists
    Can AD be configured to create users with same Display Name (different UserId) in one OU, or would I have to create logic in OIM to modify the display name so it gets accepted by AD?
    Thanks!

    Thanks Nitesh. Also, I can create the user with same DN in different OU's, not in same OU.
    I agree once we determine that same cn exists in one OU , I can modify the display name by appending a number at the end or something. I understand the logic but I need more details on how to specify this logic in the pre-pop adapter, can you please share more details.
    Thanks a lot!

  • ORA-28183 when connect proxy user with password from java

    1. Create user on database 10.2.0.1.0
    create user scott identified by tiger;
    create user jeff identified by secnt;
    grant connect, resource to scott;
    grant create session to jeff;
    alter user jeff grant connect through scott authenticated using password;
    2. Try to open proxy session from java
    DriverManager.registerDriver(new OracleDriver());
    Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@//db.garage:1521/ILINK", "scott", "tiger");
    if (conn != null && conn instanceof OracleConnection) {
         Properties properties = new Properties();
         properties.put(OracleConnection.PROXY_USER_NAME, "jeff");
         properties.put(OracleConnection.PROXY_USER_PASSWORD, "secnt");
         ((OracleConnection)conn).openProxySession(OracleConnection.PROXYTYPE_USER_NAME, properties);
         ((OracleConnection)conn).close(OracleConnection.PROXY_SESSION);
    conn.close();
    3. Got the following error for step 2
    Exception in thread "main" java.sql.SQLException: ORA-28183: proper authentication not provided by proxy
         at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:138)
         at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:316)
         at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:277)
         at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:272)
         at oracle.jdbc.driver.T4CTTIoauthenticate.receiveOauth(T4CTTIoauthenticate.java:647)
         at oracle.jdbc.driver.T4CConnection.doProxySession(T4CConnection.java:852)
         at oracle.jdbc.driver.PhysicalConnection.openProxySession(PhysicalConnection.java:1548)
         at ch.tie.cluster.Test.run(Test.java:30)
         at ch.tie.cluster.Test.main(Test.java:19)
    4. If i grant connect without using password like:
    alter user jeff grant connect through scott
    everything is fine, but i need password authentication.
    Thanks in advance.

    did you try using the oci driver?

  • Can I change the Home Folder of users with Group Policy (or in another centralized way)?

    I know how to change the Home folder of users from AD Users & Computers -> their Properties -> Profile tab. But this is not very practical when one has users spread across many OUs, and with users being added and removed often.
    So I am wondering whether there is a way to do the same with a GPO. The closest thing I found was Folder Redirection, with which I can change the location of particular profile folders for each user, but not the location of the whole profile.
    Is there a way to redirect the entire location of users in a centralized way, using a GPO or some other mean?

    I would recommend reading that about the management of roaming profiles: http://technet.microsoft.com/en-us/library/cc784961(v=ws.10).aspx
    You can involve the use of Powershell scripts for the management of roaming profiles:
    http://social.technet.microsoft.com/wiki/contents/articles/12460.powershell-automate-roaming-profile-folder-permissions.aspx
    http://gallery.technet.microsoft.com/scriptcenter/Check-if-an-AD-user-has-a-45ed5d1c
    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Get Active Directory User Last Logon
    Create an Active Directory test domain similar to the production one
    Management of test accounts in an Active Directory production domain - Part I
    Management of test accounts in an Active Directory production domain - Part II
    Management of test accounts in an Active Directory production domain - Part III
    Reset Active Directory user password

  • Initial Load - AS ABAP - getting only user with a group

    Hi,
    when i start initial load, i just get users with groups. Is that standard?
    Br,
    Philip

    First of all - you'll need to familiarize yourself with the database for effective learning and debugging. I'm talking about the MS-SQL or Oracle-DB where you installed the IC-schema. It often helps me to understand whats going on behind the scenes.
    Secondly - I read some of your posts - I would advise you to install the dispatcher and everything on the server where the DB is hosted - at least as long as you're in development. The MMC can still be on your local pc/laptop, although some things won't work well there (Import, Dispatcher-Status, ...). This'll ease things a lot I suppose.
    About the service-user... SAP delivers a role you can import into PFCG (SAP_BC_SEC_IDM_.SAP-File in misc-folder of installation media). This role should be sufficient for your communication user, is updated every now and then and contains only the necessary permissions. Maybe you'll have to extend it (Z_SAP_) in case you want to read special tables not supported by the SAP framework (e.g. license data).
    I can hardly believe that the current role assigned to your user only has permissions to users with groups != empty
    By now I have no clue why you only see users in IdM with groups assigned in SU01... look up the SQL-table I mentioned if there are more users.
    BR
    Michael

  • JDBC Dynamic Credential with proxy users

    Hi
    We've developed an application with Business Components and it's been working very well. We're using JDBC Dynamic Credential like explain the document (How to Support JDBC Dynamic Credentials - http://www.oracle.com/technology/products/jdev/howtos/10g/dynamicjdbchowto.html). Now we want to use proxy users with JDBC Dynamic Credentials. How can we
    user proxy users with JDBC Credentials? What classes or parameters we need to change?
    I've been tested proxy users a lot, but in simple java classes, I don't know where to set some parameters in business components, for example, where can I set the following parameters?:
    OracleOCIConnectionPool.PROXY_USER_NAME
    OracleOCIConnectionPool.PROXYTYPE_USER_NAME
    Thanks in advance
    Liceth

    Hi Frank, thanks again
    Now we are using JDBC Credentials(like explain the paper http://www.oracle.com/technology/products/jdev/howtos/10g/dynamicjdbchowto.html), every user connects to the application with a diferent database user and password, then at database level the administrator can see diferents usernames (not the same user). Every application user correspond to a database user, relation one to one. The application works fine with that configuration. But, now for performance we want to change our application to use proxy users, I read that with proxy users redirectec to a single user, then the pooling connections are well reused, and at database level you have diferent usernames. Our principal goal is use pooling (for performance) and see diferent usernames at database level, this for facilitate administration tasks and auditory .
    We want that the application user autenticate with proxy users (username and password) but we have some problems because we don't know where specify that we're using proxy users. (The parameters OracleOCIConnectionPool.PROXY_USER_NAME
    OracleOCIConnectionPool.PROXYTYPE_USER_NAME).
    We want open our connections with the following code:
    OracleOCIConnectionPool ods = new OracleOCIConnectionPool();
    ods.setURL("jdbc:oracle:oci:@"+tnsAlias);
    ods.setUser("user_application");
    ods.setPassword("oracle");
    java.util.Properties prop = new java.util.Properties();
    prop.setProperty(OracleOCIConnectionPool.CONNPOOL_MIN_LIMIT,"3");
    prop.setProperty(OracleOCIConnectionPool.CONNPOOL_MAX_LIMIT,"20");
    prop.setProperty(OracleOCIConnectionPool.CONNPOOL_INCREMENT,"1");
    ods.setPoolConfig(prop);
    java.util.Properties userNameProp = new java.util.Properties();
    userNameProp.setProperty(OracleOCIConnectionPool.PROXY_USER_NAME,"Mark/123");
    Connection conn = ods.getProxyConnection(OracleOCIConnectionPool.PROXYTYPE_USER_NAME,userNameProp);
    with other user
    userNameProp.setProperty(OracleOCIConnectionPool.PROXY_USER_NAME,"Marty/123d");
    Connection conn = ods.getProxyConnection(OracleOCIConnectionPool.PROXYTYPE_USER_NAME,userNameProp);
    Thanks in advance
    Liceth

  • Different database connection or proxy user change

    Hi forms guys,
    in everyday life I am fulltime DBA, so please forgive my spare forms word pool.
    Our users open a forms application that displays a menu with forms applications the user has access to. Users can then click on the menu items and another form pops up. Now having reviewed the code, I can say that the opening of the new forms is done by calling the builtin OPEN_FORM. As parameter "SESSION_MODE" for this function, "SESSION" is supplied. If I understand correctly, this means that another session using THE SAME username/password/connectionstring is created (for the purpose of parallel transactions in parent and child form).
    At the moment each and every user (~400) has it's own database account which has roles (depending on the applications they are granted access to) assigned and also sometimes owns dblinks and synonyms. We want to get rid of them by storing the credentials in OID and just create ONE single application user for every application we host. This user shall contain all nescessary objects such as dblinks and private synonyms.
    The enduser then logs in using the proxy mechanism. For example if user XYZ (defined in OID) wants to start application ABC, then he/she connects like XYZ[ABC_APPUSER]/XYZPASSWD. This must occur when the form opens, directly after the OPEN_FORM call.
    Now my question: Is this possible somehow? Is there a way to have different database connections within a single forms window, if there are different forms? Or is it possible to make a switch to another proxy user within forms? e.g. JDBC has the ability to quickly switch to an other proxy user, without having to re-establish the whole session.
    All I have read so far tells me, that it is not possible. But I would really like to hear that acknowledged by experts. Also other, perhaps better ideas for our intention are welcome.
    Kindest regards
    Matschbirne

    Not really sure how to answer your question other than to say that from within your form's pl/sql you can connect and disconnect as often as you like programatically. However, you can only have one connection at a time (as far as I know). So if you connect as SCOTT and later want to do a login as FRED, you can do so, but SCOTT will no longer be connected.
    Forms does support using Oracle SSO, but for the most part cannot directly access OID. Also, the db login information needed by Forms (when using SSO) is stored in a RAD (Remote Access Descriptor) in OID. The RAD behavior is unique to Forms and Reports. For each SSO user there is a related RAD. At the moment, there is no provided way to have RAD groups (e.g. Admin, Sales, Guests, etc). So each user get their own RAD.
    If you are using Forms 11.1.x, Forms now supports db proxy users.
    More information about SSO and Proxy users with Forms can be found in the Forms Deployment Guide:
    http://docs.oracle.com/cd/E24269_01/doc.11120/e24477/sso.htm
    In the code, you can control the connection using the LOGON, LOGOUT, and LOGON_SCREEN built-ins. Refer to the Forms Builder online help for details on how to use these.

  • A network error when i tested the connection of a proxy user

    Good evening
    I 'd created a 3 appliances Filer system . Filer 1.1.0.653
    The Filr Apl is in DMZ and every ports are open between it and the 2 Windows boxes (AD and File Sharing)
    Every thing seems well. I could inport AD users, create filr users, and work ...
    But when i want to create a NetFolder server, impossible to pass the connection test
    Name : Cn=Administrateur, cn=Users,dc=arcdom,dc=arcane-inf,dc=com (Administrateur because i'm French :=)
    or
    Name : Administrateur
    or
    Name = arcdom\Administrateur
    Click on test connection => an network error occurs
    I'd try with a "Filr" ADuser with same ACL as Administrateur, same ...
    The Novell-FAMT is running. (I tried to restart it without succes)
    Help .......
    LP Irovetz

    Originally Posted by LPIROVETZ
    Good evening
    I 'd created a 3 appliances Filer system . Filer 1.1.0.653
    The Filr Apl is in DMZ and every ports are open between it and the 2 Windows boxes (AD and File Sharing)
    Every thing seems well. I could inport AD users, create filr users, and work ...
    But when i want to create a NetFolder server, impossible to pass the connection test
    Name : Cn=Administrateur, cn=Users,dc=arcdom,dc=arcane-inf,dc=com (Administrateur because i'm French :=)
    or
    Name : Administrateur
    or
    Name = arcdom\Administrateur
    Click on test connection => an network error occurs
    I'd try with a "Filr" ADuser with same ACL as Administrateur, same ...
    The Novell-FAMT is running. (I tried to restart it without succes)
    Help .......
    LP Irovetz
    From the docu:
    Click the Authentication tab, then specify the following information:
    Proxy name and password: Specify the fully qualified, comma-delimited name and password for the proxy user used to access the OES, NetWare or Windows, server. (You can use the Browse icon next to the Proxy field to browse the LDAP directory for the proxy user that you want to use.)
    IMPORTANT:Before you specify a proxy name and password for the Net Folder server, ensure that you review the information in Section 8.1.2, Planning the Net Folder Server Proxy User.
    Test connection: Click this button to ensure that the path is accurate and that the credentials are valid, then click OK after the test succeeds.
    Sometimes proxy users with the incorrect context pass this test. Ensure that the context for your proxy user is correct, as described in Expected Name Format for File Servers.
    Authentication type: Select the authentication service for the file server that you are connecting to. This option corresponds with the Server type setting that you selected on the Configuration tab. If you selected OES or NetWare as the server type, only Novell NMAS is available as the authentication type. If you selected Windows as the server type, you can select either Kerberos, NTLM, or Auto detect as the authentication type. (Auto detect means that it tries authenticating with Kerberos first, and if that fails, authenticates with NTLM.)
    NOTE:If Kerberos is selected as the authentication type, ensure that the DNS name server is able to resolve DNS queries for the Active Directory domains.
    If the Kerberos port (port 88) is disabled on the Windows server, select NTLM as the authentication type.
    So you should use comma delimited name for the username... Did you also try browsing for the user using the icon there?
    Does is log any specific error message in /opt/novell/filr/apache-tomcat/logs/appserver.log file when you try to test the connection?
    Thomas

  • ASA - logging via radius with group name passed.

    Hi,
    I'm trying to setup ASA5520 with Radius to authenticate users with group
    privileges.
    Useing Radius with ASA to authenticate users is quite simple. When I try
    to pass from asa tunnel-group name (with group-policy and attributes
    attached) there is a problem that ASA dosn't pass any group name to
    radius.
    Is there any way to overcome it?
    What I want to do is to apply different policies to username depending
    with what tunnel-group name he logs in to webvpn. I assume one user may
    be member of different groups.
    br
    Marcin

    It's possible.
    Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.
    Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.
    Long winded, I know...any questions, please ask.

  • Change proxy user

    Hello,
    after I installd creative cloud I was asked to insert a proxy user with password.
    I need to change that now, where can I do it? I uninstalled Creative Cloud but it does not ask me the user again.
    thanks

    Delete opm.db from the machine and restart creative cloud.
    Location of this file:
    Mac: ~/Library/Application Support/Adobe/OOBE (~ means user's directory. the Library folder is generally hidden under it. The easiest way to get to it is to use the the Go to Folder option of go menu of finder and type the path exactly as I typed including the ~ symbol)
    Win: %LocalAppData%\Adobe\OOBE (%LocalAppData% is an environment variable defined by windows. Type it in start menu search bar, navigation bar of any open explorer window or run dialogue and it will open the correct folder which usually is \Users\{current_user}\AppData\Local\)
    Regards,
    Anirudh

  • Proxy User (Migrating from edirectory)

    Hi Guys,
    I am sure this question has already come up somewhere in the past but i couldn't find it anywhere. all i am looking for is for someone to guide me to right direction on "Proxy Users for Active Directory". we are migrating from novell and we have
    number of
    proxy users with special/minimum rights to perform specific tasks. In this case all i want to create is a proxy user with the following rights:- 
    Enter/Object Rights - Browse
    CN - Read,Compare
    ObjectClass - Read,Compare
    Guys, any sort of help would be much appreciated. 
    Thanks in advance
    -mEtho

    Hi,
    I am not sure what do you want to achieve, the proxy users you mentioned, are they proxy objects in this article below?
    Understanding Proxy Authentication in AD LDS
    http://technet.microsoft.com/en-us/magazine/2008.12.proxy.aspx
    Best Regards,
    Amy Wang

  • User with 2 permissions assigned via groups, not able to utilize the higher privilege

    User has been assigned Publishing Editor, this was assigned by being a member of a group, where group's permission is publishing editor. 
    In addition, the user has been assigned Reviewer, this also was assigned by being a member of a group, where group's permission is Reviewer. 
    The issue: The user can only perform functions related to the Reviewer role, and can't perform functions available via the Publishing Editor.
    Any Ideas what is going on? 
    *Removing the user from the Reviewer group is not an option. 

    Hi,
    The easiest way is to grant the single user Publishing Editor permission of that folder directly, check if the issue persists.
    Right click on the folder, Properties -> Permissions -> Add the user with Publishing Editor permission.
    Regards,
    Melon Chen
    TechNet Community Support
    It's recommended to download and install
    Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
    programs.

  • Adding users to group www with NetInfo doesn't seem to work

    I've added several users to the www group using NetInfo. As you can see, it seems to have worked:
    whisper:~ mark$ sudo niutil -read . /groups/www
    users: www,mark,rbgramacy
    realname: HTTP Users
    name: www
    generateduid: ABCDEFAB-CDEF-ABCD-EFAB-CDEF00000046
    smb_sid: S-1-5-21-170
    passwd: *
    gid: 70
    However, when I look at what groups I belong to, www is not one of them:
    computer:~ mark$ id
    uid=501(mark) gid=501(mark) groups=501(mark), 81(appserveradm), 79(appserverusr), 80(admin)
    Any ideas as to how I might get the addition of the group to actually kick in? The system won't let either user assigned the www group edit files with group www.

    I wouldn't edit the www group if I were you. That group is used internally by OS X and meddling with it could have unintended consequenses.
    I recommend creating your own custom group and adding the users you want to it. Netinfo Manager is not the easiest tool to use for this. Instead, download the Server Admin Tools from Apple and use Workgroup Manager. It makes creating custom groups a snap.

  • How do i set the proxy user in FF 3.6.13, this entry was existing earlier its gone now. using IE with entries in user account pwds works while FF doesn't.

    How do i set the proxy user in FF 3.6.13.
    previous versions had an entry for proxy user.
    its gone now.
    using IE with entries in user account pwds works while FF doesn't.
    too bad have to change back to IE :-(

    You can find the connection settings in Tools > Options > Advanced : Network : Connection
    See "Firefox connection settings":
    *[[Firefox cannot load websites but other programs can]]

Maybe you are looking for

  • External Display Woes

    I recently purchased a 20" Cinema Display for use with my Macbook. Everything works fine, powered right up using a mini dvi to dvi adapter, resolution is great. I purchased this after going through a couple Dell monitors at Best Buy and returning the

  • Can you set bluetooth to AUTOMATICALLY authorise device

    Hi On my old phone I could go down my list of previously used bluetooth devices and select "authorise device" meaning each time my phone came in the vicinity or range of that device again it would automatically connect. I only use my bluetooth with m

  • How to get the status of Javascript inside a java class

    Hi, Can anybody let me know the way by which I can get the status of Javascript (enabled/disabled) in browser inside a Java Class. I do have a trick - <input type="hidden" name="jstatus" value="disabled"> <input type="submit" name="submit" onClick="d

  • Search Help KRED_C modification

    Dear Experts, We are using KRED_C search help for vendor code on several screen. This search help provids vendor code list present in LFA1 table. Now i need to modify this search help as i need to get the list of all vendors where LOEVM (Central Dele

  • Reg: Arrow to navigate different contracts in adobe form

    Hi, When there are multiple contracts, multiple reports are generated and there is an arrow to navigate between the contracts  in top of PDF form how can we add a counter to show what that the user is viewing contract 1 of 6 How can we handle this. R