OIM Reports for BIP Role Membership

Similar Messages

• Health Report for existing role in support and upgrade documentation

  Hi Experts,
  I am looking for create a report or using existing report/FM (if any) which will show new objects been thrown for a role with there SAP suggested values when we use PFCG expert mode merge option. I think this will be very helpful for support person to health check for roles and during upgrade in step 2C documentation people can save a hell lot of time. I do not have ABAP knowledge. Can anyone help me on this?
  Regards,
  Arpan Paik

  Hi Julius,
  I have been to that wiki before and one by you as well (regarding upgrade steps). For current upgrade I have also noticed that SU25 step2B is not only left with customer related changes only. Where USOBT_C/USOBX_C has same values as of USOBT/USOBX there update to customer table automatically happened in step2A. So 2B left with very less changes where customer prefer the standard way!!!
  What I am looking for is actual authorization change delta. Step2C gives us only list of roles get affected. I am lookimg for what change actually can happen to a single piece of role due to upgrade.
  I have followed below method.
  1. Join table USOBT_CD and USOBT_C to see actual proposal for changed transaction and corresponding auth object. Here I had to perform few excel work to remove data repetation
  2. Then take old data for roles from AGR_1251
  3. Put together above 2 data and after proper sorting by object manually remove the data which SAP does by expert mode merge function.
  Can this step be automated by some ABAP code? or function module?
  Otto wrote :
  If I start/ when I start and still remember this thread, I will update it
  Please do so and thanks for sharing thoughts.
  Regards,
  Arpan Paik

• OIM Reports for Organisation Level

  Hi
  We have configured out of the box OIM reports, and we have multiple organisations with org level admins to manger their organization.
  We observe that reports allowed to these admins can see all users in OIM (with users of other organisation). Wanted to know how do we configure reports such that only org level reports are generated (I.e. Org level admins can only see reports under his portfolio/organization)
  This is urgent requirement; appreciate if any one can help. Thanks in advance.

  The reports use PL/SQL code so they would not leverage the standard API. It is very possible that implementing organization filtering simply was missed.
  The easiest way to solve this is to simply create custom reports. Not very hard once you know have to do it but requires a little bit of initial learning effort.
  Do you have any resources that have created custom reports or at least someone that knows how to code PL/SQL?
  Best regards
  /Martin

• Nesting of Rules for Auto Group (Role) Membership Rules in OIM 11gR2

  Does anyone know how to nest rules for auto group (role) membership in OIM 11gR2. The General rules in Design Console are no longer used for auto group membership and the rules that can be configured in the Role properties cannot be nested as far as I can see.
  Any info is appreciated.
  Thanks!

  My mistake... this is possible in the web ui.

• OIM 11g: Issue while evaluating rule for Role Membership

  Hello All,
  I have configured few General Rules using 2 of our User Defined Fields, these general rules are used to determine role membership.
  What we observed that once "Identity Status" attribute is set to "Disabled" for OIM User Profile then OIM stops evaluating these configured General Rules for Role Membership.
  Env Details:
  Product Version: Oracle Identity Manager 11.1.1.5.0
  App Server: WebLogic Server Version: 10.3.5.0
  OS: Red Hat Enterprise Linux Server release 5.5
  Database: Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64 bit
  Please let me know if any of you have encounter this issue and if there is any workaround available for it.
  Thanks,
  Shyam

  Re: OIM11g: Resource not revoked if the Identity Status is DISABLED
  XL.EvaluateMembershipForInactiveUser
  Workaround:
  You can make you of Event Handler and assign that group with APIs.

• Rule based Role membership in OIA is not pushing to OIM

  Hi All,
  Rule based Role membership in OIA is not pushing to OIM due to error as
  00:01:38,055 DEBUG [DBIAMSolution] Group Role container for JDE.JDE_BHRUSRTT found...
  00:01:38,144 ERROR [DBIAMSolution] Error Occured while adding users to role
  Thor.API.Exceptions.tcAPIException: Error occurred while find User information: USER_NOT_FOUND
  at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:234)
  at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348)
  at weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259)
  at Thor.API.Operations.tcGroupOperationsIntf_13pobh_tcGroupOperationsIntfRemoteImpl_1035_WLStub.getAllMemberUsersx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
  at $Proxy396.getAllMemberUsersx(Unknown Source)
  at Thor.API.Operations.tcGroupOperationsIntfDelegate.getAllMemberUsers(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Meth
  Any one can help will be appreciate...
  Thanks
  Bikas
  Edited by: Bikas Mandal on Mar 27, 2013 6:15 AM

  Try these steps and let me know what you see:
  Login to OIA > Administration > Configuration > Workflows
  Select Role membership create workflow
  And check if you have added OIM provisioning server in the Step5 of the workflow.
  Cheers,
  Vamsi.

• OIM 11g DBAT connector - trusted reconciliation for user roles

  Hi,
  We have a database table containing a bunch of user records, and a table with a foreign key that contains all the associations user-group. We would like to do trusted reconciliation from those two tables into OIM. I already did that for target reconciliation but now I am having a look at the DBAT connector docs, and I have found this:
  "Child Table/View Names
  If you want to use the connector for trusted source reconciliation, then do not enter a
  value. If you want to use the connector for target resource reconciliation and if user data is
  spread across parent and child tables, then enter a comma-separated list of child table
  names."
  Does this mean that role membership trusted reconciliation is not supported by the DBAT connector?
  thanks in advance

  DBAT connector does not support trusted source with child data.
  But that does not mean you cannot configure user table as trusted source.
  What is it that you want to do with child table ?

• How to take a report for the assigned transaction and activity in a role

  Hi Colleagues,
  I want to take a report for the assigned transaction with activity for all roles, which are assigned to the users,
  Transaction list for a role i can able to take it from SUIM but not able to take the ACTVT for the role.
  Please suggest how to take this information.
  BR,
  Jai

  Hi Jaikumar from the post :
  I think you have reached the state of finding the USER to ROLE relationship
  Take the output to an excel,
  COPY just the roles column exactly in order do not rearrange , use AGR_1251 like other experts have mentioned
  insert the roles copied from you buffer and execute, the output will have multiple entries for each role take the output to an EXCEL again , make it unique and match the outputs between both the EXCELS.
  It will be a little tricky to do this, but I think you are proficient in MS EXCEL.
  This is one of the ways to do , there are many other ways to do it.

• Error in BI publisher report for OIM

  Hi all!
  Can u help me?
  I know that this error is quite common, but I`ve tried out all the soultions and still can`t get the result.
  I`ve installed BI publisher and attached OIM reports there. All the reports work properly except those, which have date properties. For example, Account Activity in Resource. All of them return ora-08143 error ("not a valid month").
  Let me explain situation more clear.
  There are two fields using date in the report creation menu.
  Date Range From:
  Date Range To;
  They automatically get value like "12/06/2011 05:05:05" using their default values ({$SYSDATE()$}).
  But if I use these values, I get an error.
  I`ve found two ways of solving a problem: 1.) Changing the date to something like "12/Jan/2011" manually (note, that by default month stands first, and to solve the problem I should write it second and NOT in digits). 2.) Changing the date mask in report properties to dd/MMM/yyyy.
  But it`s not the best way to solve the problem. In this case I should change these properties everythere. Or user should (and this is bad :) ). I`m sure, that these reports should work without such modifications, so, error borns on my side.
  What I`ve done:
  1.) I tried to change nls_date_format, nls_language, nls_territory, timestamp_format in database session to different formats.
  2.) I`ve tried to manage all the changes that I`ve told about above.
  3.) I`ve tried to change UI language and report locales (if it`s important, I use russian language and russian report locale). xlf files are all ok.
  What shall I do to fix this error?
  My db is: Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
  My BI publisher is: 10.1.3.4 (may be everything is bad because of version, but it doesn`t seem to be so, because every report except date reports work nice).
  Thank u very muck and looking forward for hearing from u.

  Dewan.Rajiv wrote:
  I don know what issue you are facing due to language.
  Have you tried with changing the query of the report ?Yes, I have.
  By the way, I`ve discovered, that the error appears in line:
  AND myvariablewithdate BETWEEN :p_date_DateFromRange AND :p_date_DateToRange
  If I comment such a lines in the query, everthing works OK.
  But as you understand, that`s not the point :(
  Even if i put to data forms information from sql database (just copy timestamp data), the error continues to appear.
  If i make something like that in sqldeveloper, everything is ok:
  select upa_resource.upa_res_eff_from_date from upa_resource where upa_res_eff_from_date between (select sysdate - 30 from dual) and (select sysdate from dual)
  this statement returns right values.
  So, the problem is somethere in such a chain:
  - select sysdate from dual (it`s ok)
  - put sysdate to form (does it make any type of convert?)
  - take variable (former sysdate) from form.

• How to have separate template for each role in OIM

  Hi,
  We have multiple roles on a multiple AS400 boxes. In OIM we need a separate template for each role that has to be popped up during provisioning. How do we achieve this in OIM?
  Pls help me with the solution.
  Edited by: user8963056 on May 23, 2010 7:47 PM
  Edited by: user8963056 on May 24, 2010 9:47 AM

  Thanks for the reply
  for the second question; we need on the basis of role these forrms will have different informations.
  the AS/400 guys wants the below steps to be done on OIM side
  They want to make sure below plan works with OIM plan.
  1.Per System, create templates per role.
  2.Update the AS400 User Request form to include a section for each system. Add templates for each role to each system’s section.
  3.Provide ITSA with a menu option to create profiles by selecting the template they wish to copy.
  4.Create backend programs to automate additional 400 tasks required per role.
  a.Create directory entry
  b.Add to Privilege Manager
  c.Add to Menu System
  d.Add to third party software
  e.Other as required.
  If we automate the above on the 400, in OIM , we would need to create the same templates.

• SAP Security Report for single and composite roles

  Hi
    I have a requirement to create a cutomize report in SAP Security.
  I have to display Composite roles,corresponding single roles,the tcodes assigned to those single roles and the description of t- codes. The selection screen has composite roles,single role and T-code which are optional.User can enter selection in any of the selection critreria.How should I go on this?If user gives only composite roles on the selection for e.g 'TEST'. for this role I get suppose 3 child roles 'TEST1' 'TEST2' 'TEST3' from table AGR_AGRS.Now to get the tcodes i go to table 'AR_1251' and I get the tcodes.
  But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.for e.g, 'TEST' 'SAP1' 'SAP2' etc..Now if go to get the tcodes for this single role in AGR_1251,I will ceatainly get the tcodes for eg MM01,FB01,etc.But then how would I know whether MM01 belongs to composite role 'TEST' SAP1' or SAP2' for the single role 'TEST2'.
  Please advise.
  Thanks
  Edited by: Julius Bussche on Aug 13, 2009 4:52 PM
  Subject title improved

  I though of seperate selection options for singles and composites, but you also said:
  > But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.
  My suggestion would be to build better single roles, but that is just me...
  Cheers,
  Julius

• OIM 11g support for Temporary roles with expiration date

  Dear All,
  Is there a support provided for temporary roles in OIM 11g?
  If not, what is the recommendation as for implementation?
  Kind regards
  Maria Adair

  I'm also interested if someone has any recommendation as for how to implement such a feature. Anyone has any ideas?

• Report for user with roles

  Dear all
  Please let me know how to get a report for the users created with the roles. I want the users created , roles assigned and the time stamp
  I tried a lot but could'nt get the solution for this.
  thanks and regards
  Raja

  Found the solution finally. Custom report with "*attribute changed contains role"*
  And action =create, bulkcreate, provision
  Thanks and regards

• Report for transaction - Maintain Object - Roles - user Id ( Authorisation)

  Hi
  I want to generate a report for the following:
  for a transaction
  for a check/ maintain object name ( Ist column)
  what are the roles ( iind column)
  and
  what are the user id for each roles.. (iiird column)
  and
  start up (yes / No) (ivth column)
  Please advise.
  Since, I need to do this report generation for more than 30 transactions, any immediate reply would be of great help.
  Thanks in advance.
  Partha

  Hi
  Try SUIM T-code and see if any of the report works
  Thanks

• Custom Error Report for Truested Recon in OIM 11.1.1.5

  Hi,
  We are planning to have a custom scheduled task to generate csv report for failed recon events. We have some 4 trusted recons (2 custom + 2 GTC) in our environement. Does a DB query would be sufficient to meet our requirement. If yes please suggest the tables that we need to consider. Please suggest whether it is a good practise and has any one implemented such before ?
  We cannot go far any tool like BI publisher now so any means of generating report through custom code would be helpful.
  Thanks,
  DK

  The RECON_EVENTS and OBJ table will be sufficient to know which resource object the recon event was for, and the status of the recon event.
  -Kevin