OIM-request based provisiong-into OID groups

Similar Messages

• Migrating OID groups to OIM

  We have been given the task of migrating our existing identity management systems to OIM (Oracle Identity Manager).
  Part of our existing system uses OID (Oracle Internet Directory). All users have an entry in OID. Some of our systems use OID for authentication.
  We also use OID to hold users' entitlements/privileges that control access to our applications. We use OID groups (represented by entries based on groupOfUniqueNames and orclGroup objects) to do this. For example we might have an application called 'Finance' with three levels of access represented by OID groups e.g. 'finance_enquiry', 'finance_updater', 'finance_superuser'. Those groups would all belong to a parent group called 'finance_application'. To access the application the user needs to be a member of 'finance_application' group or one of its child groups. Access to features of the application are controlled by membership of the 3 child groups. We have an application that maintains groups, group membership, and user entitlements in OID.
  As part of the migration project we want to move maintenance of groups and group membership from our own application into OIM. The above scenario seems quite basic.
  My main question is how would this be done in OIM? Do our current OID groups become OIM Groups? Do they become entries in some lookup table in OIM? Are there any case studies or other documentation that describes this kind of requirement?
  I've looked at the OIM Connector for OID documentation but it doesn't describe typical scenarios. It assumes that you know what you are doing.
  We also want to give users the ability to request entitlements, and to provide an approval process. So we could have a user who approves/rejects entitlement requests to access to the applications they control. But that's a another topic.
  Cheers,
  Eric

  PeachEye wrote:
  We have been given the task of migrating our existing identity management systems to OIM (Oracle Identity Manager).
  As part of the migration project we want to move maintenance of groups and group membership from our own application into OIM. The above > scenario seems quite basic.You're about to find out otherwise.
  >
  My main question is how would this be done in OIM? Do our current OID groups become OIM Groups? Do they become entries in some lookup table > in OIM? Are there any case studies or other documentation that describes this kind of requirement?You'll need a custom connector and lots of OIM tweaks. Your groups will stay in OID, OIM will replace the current application you use to maintain them. That's one way of doing it, no impact to OID schema is the benefit of this way, there are other ways.

• Request OID group access in OIM

  Hi All,
  I have OIM (11.1.1.5.2) and the OID Connector (9.0.4.14) installed. Is it possible for a user to request access to a specific group in OID using the OIM Self Service Console?
  Regards,
  user10233157

  Yes, This is possible. You need to create request dataset with Group details and import it to MDS.
  Sample Dataset for AD Resource is
  *<?xml version="1.0" encoding="UTF-8"?>*
  *<request-data-set xmlns="http://www.oracle.com/schema/oim/request" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oracle.com/schema/oim/request" name="ModifyResourceAD User" entity="AD User" operation="MODIFYRESOURCE">*
  *<AttributeReference name="City" attr-ref="City" available-in-bulk="true" type="String" length="20" widget="text"/>*
  *<AttributeReference name="Pager" attr-ref="Pager" available-in-bulk="true" type="String" length="20" widget="text"/>*
  *<AttributeReference name="Group" attr-ref="UD_ADUSRC" available-in-bulk="true" type="String" length="500" widget="text">*
  *<AttributeReference name="Group Name" attr-ref="Group Name" available-in-bulk="true" type="String" length="500" widget="lookup" lookup-code="Lookup.ADReconciliation.GroupLookup" entitlement="true">*
  *</AttributeReference>*
  *</AttributeReference>*
  *</request-data-set>*
  Then in OIM Self Service console select Self Modify Provisioned Resource request type and you will see the OID Groups in the list of available groups to request.

• OIM-OID Provisioning - OID Group PrePopulate Approach :

  Hi,
  I am working on OID Connector 9.0.1.14 with OIM 11.1.1.5.
  I have reconciled all the Roles and Groups from OID to OIM and can successfully provision users to the OID along with membership to these specific Roles and Groups.
  I want to prepopulate the OID Group based on certain attribute from the OIM User form. My Approach so far is :
  1) Created an Entity Adapter with a variable : say Org and GroupName.
  2) Set the Logic as if Org = XYZ (+XYZ does exist on OIM+) set GroupName as = "OID Group 1" else set GroupName as = "OID Group 2"
  3) Attached this adapter to the "OID User Group" form on the "Data Object Manager" at the pre-insert stage.
  4) Mapped the Adapter variable as :
  a) Org Maps to "Organization Definition" with the qualifier "Organization Name"
  b) GroupName maps to the "Entity Field" with the qualifier "UD_OID_GRP_GROUP_NAME"
  However nothing seems to happen when I create/modify a user with Orgization Name as XYZ and manually Provision the OID Resource. I can see the form but nothing is populated in the Group Field. Upon completing the request, I get the user provisioned to OID but without any Group information..
  Is my approach right ? Am I missing something ?

  Here is what I have done for a client. My requirement was for a given department, a user must have a list of groups provisioned to them. So here is what i've done:
  1. Create a lookup that has Code Key = Department, Decode = CN of the groups in a delimited format.
  2. Create a provisioning task that will look at the department code from the user form, reference the lookup and find the decode values. Split them based on a delimiter. Then using each value, lookup the code key value from the real lookup that contains the full distinguished name of the group in the OID Group lookup. I even appened the IT Resource Key and ~ so that my search would be Decode or Code = "IT Resource Name~CN=<CN VALUE>%". This would return only the single group code key value. And then i add it to the child table. Repeat this for all the values in the delimited field.
  3. Create a provisioning task that removes the values from the child table based on the delimited value. You'll need to search through the existing child table values.
  Once you have the 2 tasks, you'll want to add a value to the your Lookup.USR_PROCESS_TRIGGERS that is your group determining field. Create your task name in this lookup. On your provisioning workflow, for the Adding of the groups task, make this unconditional, and have a preceding task of the Create User. Give it the name from your Lookup.USR_PROCESS_TRIGGERS and append " - Add Groups" to the task name. Create another task called the same, but append " - Delete Groups" to the task name. On the Add Groups task, make the preceding task the Delete groups. When you map your inputs to the adapters, on the delete, select the old value check box from the User Form so that you get the old value. Now, when the value changes on the user form, it will first remove the old groups, then add the new ones. All this will be done using the child table APIs, so that the existing Insert and Delete task triggers for your child table will run.
  -Kevin

• How to Configure OIM 9.1 for Request-Based Provisioning

  Hi experts,
  I am new to OIM and need to know how to configure request based provisioning. Here is the scenario.
  My environment has two target systems (Sun LDAP and Novell EDirectory) configured for provisioning to OIM 9.1
  A user should be able to login, request either or both (SUN LDAP and EDir) for self or others.
  Now the request should go to an admin for approval.
  Once approved, the requested accounts should be created on the target systems.
  Please guide me on the procedure to be followed.
  Many thanks in advance

  You will have to download the standard out of box connector for these target systems & will have to import it through the Deployment manager into OIM. Then you will have to create the Process definition of approval type & attach it to the same resource object. Please read the belo link before implementing any thing. This will provide you a better idea.
  http://download.oracle.com/docs/cd/E10391_01/doc.910/e10363.pdf

• OIM-OID Connector: OID Group Recon Task and organizations

  Hi,
  I'm evaluating OIM and its OID Connector.
  We have groups in our existing OID. We thought that we could use the OID Connector OID Group Recon Task to import those groups into OIM and make them Groups in OIM.
  However, when we run the task, it appears to import our groups from OID as organizations, not as groups. It's not clear to me from the OID Connector documentation what exactly the OID Group Recon task is supposed to do. That's why we assumed it was an OOTB method for reconciling OID groups into OIM groups.
  What are we doing wrong? Why do we end up with our OID Groups becoming OIM Organizations after running the task?
  We are using version 9.4.11 of the OID Connector.
  Also, a side issue: how can we delete unwanted organizations from OIM? There's a delete option but it just seems to mark the organizations as deleted but they are still there.
  Thanks
  Eric
  Edited by: PeachEye on 17/03/2010 11:49

  Hi,
  I am also facing the similar issue. I want to reconcile OID groups into OIM User Groups menu item. Please suggest how to proceed.
  I ran the schedule task- OID Group Recon Task, but it throws error-
  ERROR,12 Mar 2010 09:16:44,265,[XL_INTG.OID],OID:tcTskOIDGrouporRoleReconTask:pe
  rformReconciliation():com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:
  NamingException :Unable to search LDAP. Check the following values and try agai
  n: Base Search detail: cn=abc,ou=Q System1,dc=xoserve-apps,dc=com, filter expres
  sion is (&(objectClass=groupOfUniqueNames)(modifytimestamp>=19000101010001Z)), A
  ttributes : DN, modifytimestamp, Organization Name, orclguid, cn,]
  ERROR,12 Mar 2010 09:16:44,281,[XL_INTG.OID],===================================
  I want to bring OID groups into OIM so that I can manager those OID groups from OIM. Is there any other way to so this? I have to make changes in the OID object class or in the OID field mappings? I have not done any changes in Lookup OID configuration or LookUp Field map parameters.
  Please help.

• OIM-OID! provisioning users to OID groups-QUICK HELP NEEDED

  hi,
  I've installed OIM connected to OID.
  I've been assign some tasks:
  1) Creating access policy such that when a user is created in OIM, he is provisioned to two groups in OID.... ie. in cn=users and cn=employees (where cn=employess is the group i create under cn=Groups,dc=ad,dc=company,dc=com)
  2)Creating an access policy such that when a user is created in OIM, he is provisioned to two additional groups in OID, say I've created two custom groups in OIM and attached membership rules to them. Now when i create a user satisfying the two membership rule,he is assigned to those two OIM groups and provisioned to cn=users,dc=ad,dc=company,dc=com and cn=group1,cn=Groups,dc=ad,dc=company,dc=com and cn=group2,dc=ad,dc=company,dc=com.
  Also i want to populate those OID groups into a child table and create their lookups in Process form
  Please help me materialise and understand these concepts.
  The OID Lookup Recon task for group is running fine, lookup.oid.group is populated with values.
  how those groups can be populated in process form child table(OID user group table).
  Edited by: Chhavi Saluja on Feb 12, 2010 12:51 AM

  As mentioned in my other post you can put these groups in access policy form and all the users assigned by this policy will get these groups. Any issue revert back.

• Users not provisioned from OIM to OID groups

  I've created an Access policy such that when i create a user with role as consultant he is automatically provisioned to OID resource and OID group( cn=group1,cn=groups,dc=ad,dc=company,dc=com ).
  The user is provisioned to OID users(cn=users) but not to cn=group1,cn=group....
  What could be wrong?
  i have run the OID group lookup tasks to generate freshly added group lookups. Theses lookups are populated in process form when i create an access policy.
  For ex the lookup generated is cn=group1,cn=group,dc=ad,dc=company,dc=com and the decode value is group1
  The user profile and process form are not linked. That means changes in process form are not reflected to user profile. Can this be possible reason for the hassle defined above
  please help me resolve this issue.
  Edited by: Chhavi Saluja on Feb 15, 2010 1:30 AM

  Hi,
  Today I have also done the same thing of auto provisioning of OID through access policy. Only difference is that for selecting "Container DN" and "User group" we have created two user defined fields(lookup)in the user form which will refer to the lookups "Lookup.OID.Organization" and "Lookup.OID.Group" for inputs.These lookups are already reconciled once from OID.
  As far as "container DN" iam successful but while selecting "user group" iam able to select and when i click on "create user" user is getting provisioned to OID into Container DN i specified.But user is not going into that particular group i specified.Iam assuming the reason is that as User Group is a mutivalued attribute and if we observe the process form of group selection we will see the add button. But on user form we dont have the option of child form to ADD/REMOVE the groups.
  Someone pls suggest how to proceed further on this.How do i push the user into particular group/groups from the create user form itself?

• DIP fails loading dynamic groups into OID

  Hello,
  we're trying to load groups from OeBS into OID and associate them via dynamic groups feature with user records that was loaded earlier as follows:
  personid=18630,cn=dev,cn=hrsyncusers,cn=users,dc=ic,dc=lan
  orcltimezone=Asia/Yekaterinburg
  displayname=NOT ASCII
  employeetype=NOT ASCII
  givenname=NOT ASCII
  postalcode=628484
  orcldateofbirth=19610404000000
  orclgender=F
  departmentnumber=342
  uid=18630
  mail=HRNULL
  cn=NOT ASCII
  initials=NOT ASCII
  street=NOT ASCII
  employeenumber=4824
  middlename=NOT ASCII
  l=NOT ASCII
  orclhiredate=20051107000000
  sn=NOT ASCII
  personid=18630
  c=Russia
  title=NOT ASCII
  objectclass=inetorgperson
  objectclass=person
  objectclass=organizationalperson
  objectclass=orcluserv2
  objectclass=kapitalperson
  objectclass=country
  objectclass=residentialperson
  objectclass=locality
  objectclass=top
  Among other attributes each user entity has 'departmentNumber' that indicates number of his/her department.
  Now trying to load list of departments as dynamic groups with the following config
  files:
  *** DevHRAgentGroups.cfg ***
  [SELECT]
  SELECT psv.version_number
  , pos.name hierarchyname
  , hou.organization_id depno
  , poe.organization_id_parent parent_id
  , REPLACE(hou2.name, '"') parentname
  , poe.organization_id_child child_id
  , REPLACE(hou.name, '"') orgname
  , ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(depar
  tmentnumber='||hou.organization_id||')' ldapuri
  , hrl.meaning org_type
  FROM per_organization_structures pos
  , per_org_structure_versions psv
  , per_org_structure_elements poe
  , hr_all_organization_units hou
  , hr_all_organization_units hou2
  , hr_lookups hrl
  WHERE pos.business_group_id = psv.business_group_id
  AND pos.organization_structure_id = psv.organization_structure_id
  AND pos.primary_structure_flag = 'Y'
  AND psv.date_to IS NULL
  AND poe.org_structure_version_id = psv.org_structure_version_id
  AND poe.business_group_id = hou.business_group_id
  AND poe.organization_id_child = hou.organization_id
  AND poe.business_group_id = hou2.business_group_id
  AND poe.organization_id_parent = hou2.organization_id
  AND hrl.lookup_code = hou.type
  AND hrl.enabled_flag = 'Y'
  AND hrl.lookup_type = 'ORG_TYPE'
  AND hrl.lookup_code NOT IN (30,40)
  AND TRUNC(SYSDATE) BETWEEN hou.date_from AND NVL(hou.date_to, TO_DATE('31.12.4712','dd.mm.yyyy'))
  AND hou.last_update_date >= to_date(:BINDVAR,'YYYYMMDDHH24MISS')
  *** DevHRAgentGroups.map ***
  DomainRules
  NONLDAP:cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan:departmentID=%,cn=DEV,cn=HRSyncGroups,cn=Groups,dc=ic,dc=lan
  AttributeRules
  orgname:1: : :cn: :groupOfUniqueNames
  depno:1: : :departmentID: :kapitalDepartment
  ldapuri: : : :labeledURI: :orclDynamicGroup
  We're getting the following error in ?/ldap/odi/log/DevHRAgentGroups.trc during HRAgent execution at mapping phase:
  Normalized DN : departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=ic,dc=lan
  Changetype is 5
  Processing modifyRadd Operation ..
  Entry Not Found. Converting to an ADD op..
  Processing Insert Operation ..
  Performing createEntry..
  Exception creating Entry : javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=
  hrsyncgroups,cn=groups,dc=ic,dc=lan'
  [LDAP: error code 1 - Dynamic group cache update failed.]
  javax.naming.NamingException: [LDAP: error code 1 - Dynamic group cache update failed.]; remaining name 'departmentid=82,cn=dev,cn=hrsyncgroups,cn=groups,dc=i
  c,dc=lan'
  at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3028)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
  at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2740)
  at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:777)
  at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
  at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:236)
  at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:176)
  at oracle.ldap.odip.gsi.LDAPWriter.createEntry(LDAPWriter.java:1162)
  at oracle.ldap.odip.gsi.LDAPWriter.insert(LDAPWriter.java:425)
  at oracle.ldap.odip.gsi.LDAPWriter.modifyRadd(LDAPWriter.java:822)
  at oracle.ldap.odip.gsi.LDAPWriter.writeChanges(LDAPWriter.java:349)
  at oracle.ldap.odip.engine.AgentThread.mapExecute(AgentThread.java:655)
  at oracle.ldap.odip.engine.AgentThread.execMapping(AgentThread.java:376)
  at oracle.ldap.odip.engine.AgentThread.run(AgentThread.java:237)
  DIP_LDAPWRITER_ERROR_CREATE
  Error in executing mapping DIP_LDAPWRITER_ERROR_CREATE
  DIP_LDAPWRITER_ERROR_CREATE
  Please, note. Loading is successful if we commenting out mapping line for labeledURI attribute (that's loading static groups).
  Loading is also successful when labeledURI is mapped to
  'ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(objec
  tclass=person)' but this definetly is not what we are going to get.
  I don't have ideas what's wrong for example with the following generated 'labeledURI' attribute:
  ldap://idm01.ic.lan:389/cn=DEV,cn=HRSyncUsers,cn=Users,dc=ic,dc=lan??sub?(departmentnumber=82)
  Any help is appreciated
  Thanks,
  Edward

  Hi Frank,
  there is something wrong with departmentnumber attribute of user records. Searching users with ldapsearch using "departmentnumber=*" filter fails with the following error:
  ldap_search: DSA is unwilling to perform
  ldap_search: additional info: Function Not Implemented
  I think this is probably the cause of failing creation of dynamic groups.
  Searching on other user attributes (cn, uid, employyenumber) works fine.
  Still don't understand what's wrong with this particular attribute.

• OVD/OID group reconciliation in OIM 11g with LDAP sync

  Hi All!
  Is it possible to reconcile OID groups to OIM using LDAP sync? How to achieve such configuration?
  I have OIM with LDAP sync and user and roles provisining to OVD is working.
  best
  mp

  Hi,
  I want to Integrate OIM and OID. Can you guide me in doing so?. The platform I will use is Windows 2003 Server, OIM version is 9.1. Also please tell me which version of OID i should use.
  Note: I am new to OID and OIM.
  Thanks in advance.
  Regards,
  Kazmi

• Create OID Group through OIM

  HI ,
  i have a requirement which is when i create a Group in OIM , then the OID will create a corresonding Group as well , i run out of my idea of how to do it , can anyone give some guides on this
  thx in advance
  Edited by: crazyJew on 1/07/2010 22:44

  Yes you need to provide an organization key to the group provisioning api - tcOrganizationOperationsIntf -> provisionObject.
  One you provision the resource OID Group you can get the process instance key and set the data in process form using tcFormInstanceOperationsIntf ->setProcessFormData. setProcessFormData takes the data which needs to be set for the OID group.
  Hope the helps,
  Sagar

• Request based Revoke process in OIM 11g R2 PS1 ?

  Hi All,
       In our scenario , we are looking for Request based Revoke process in OIM 11gR2 PS1. In OIM 10g,we have Delete User Access flow seperatly where end user can request for revoking access of user from resource. In OIM 11gR2PS1 we have catalog based request process to request access for Roles, Application Instance and Entitlements.Same way it is possible to have request based revoke access in OIM 11gR2 PS1 where we can request for revoking access for Roles,Entitlements, Application instance , send notification and follow approval process for the same.
  Thanks,
  RPB

  Any helpful pointer on this ?

• Unable to configure Request based provisioning in OIM 9.1.0.1

  Hi,
  I have been trying to configure request based provisioning wherein Admin can request to provision a resource for a certain user. I have checked on the Auto Prepopulate and Auto Save options in the Process Definition. The problem which I am facing is that if I uncheck the Auto save option, admin's request is completed properly and an Approval request is generated. If the admin approves it, the resource status is set to Provisioning. Inside the resource object, there's only one task System Validation with status completed. The process form is empty if I view it. But if i go to edit i can see the fields being populated. After saving the form, i can see the data in the "View" option too. After this, I am able to add a task "Create User" and provision the user to Active Directory.
  But if i check the Auto Save option in the Process definition, the request is completed but no approval task is generated. There is nothing in the User's resource profile as well.
  What could be the reason for this and what could be a probable solution in such a scenario? I seek all your help in order to resolve this issue.

  I have configured the approval tasks and the provisioning is working fine. The error which i am facing now is with 2nd level approver. I want the first level approver to be the requestor's manager, which is working fine. But when i am trying to fetch the Manager details of the requestor's manager (Requestor->Manager-> Manager), I am facing the below error.
  Running GETSECONDLEVELAPPROVERTYPEUSER
  2012-10-31 13:20:28,956 INFO [STDOUT] Target Class = com.pldt.adapter.ad.TaskAssignment
  2012-10-31 13:20:28,957 INFO [STDOUT] Running GETSECONDLEVELAPPROVERKEY
  2012-10-31 13:20:28,957 INFO [STDOUT] Target Class = com.pldt.adapter.ad.TaskAssignment
  2012-10-31 13:20:28,957 INFO [STDOUT] ***************************Inside getSecondLevelApprover***************
  2012-10-31 13:20:28,974 INFO [STDOUT] **************************usrKey**********1
  2012-10-31 13:20:29,039 INFO [STDOUT] *****************ResultSet1***********Thor.API.tcMetaDataSet@5b895cb9
  2012-10-31 13:20:29,080 INFO [STDOUT] *****************ResultSet2***********Thor.API.tcMetaDataSet@68d6c6eb
  2012-10-31 13:20:29,080 ERROR [STDERR] java.lang.ClassCastException: java.lang.Long cannot be cast to java.lang.String
  2012-10-31 13:20:29,081 ERROR [STDERR]      at com.thortech.xl.adapterfactory.events.tcAdpEvent.setKeyValue(Unknown Source)
  2012-10-31 13:20:29,081 ERROR [STDERR]      at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpGETSECONDLEVELAPPROVER.implementation(adpGETSECONDLEVELAPPROVER.java:56)
  2012-10-31 13:20:29,081 ERROR [STDERR]      at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
  2012-10-31 13:20:29,081 ERROR [STDERR]      at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
  2012-10-31 13:20:29,081 ERROR [STDERR]      at com.thortech.xl.dataobj.tcScheduleItem.handleTaskAssignPostInsert(Unknown Source)
  2012-10-31 13:20:29,081 ERROR [STDERR]      at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
  2012-10-31 13:20:29,082 ERROR [STDERR]      at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
  I am passing the user key of the manager to fetch his manager's data. Please suggest a resolution for this.

• Auto creation of child requests when parent request has more than one group

  Hi,
  I have created a request dataset which has a child form for AD Group. While raising a request, if I add more than one group, how to process the approval flow. Because I will be having different different approvers for different different groups. Is there any way to create child requests automatically when we submit a request with more than one group? I am using OIM 11.1.1.5.0.
  I know in OIM 11g, whenever user raises request for more than one beneficiary/target-resource then OIM breaks that request into Child Requests. But this is not happening when I add more than one group in the same resource. Do I need to write my own code for DataValidator to split parent request into child requests upon validating child form? If so, is it going to impact the existing feature which is creating child request when parent has more than one user/resource.
  Please let me know.

  No not possible OOTB in current version. Check {thread:id=2318652} for more information.
  -Bikash

• How can I get approver of a request in request based provisioning

  How can I get the approver of a request in Request Based Provisioning if the request is assigned to a group of user.
  I need to get the actual approver (the one who logged in and approved amongst the approver group ) while the provisioning process gets executed.
  Also,
  as provisioning is triggered , can i put some value into a feild of the obj/process form.
  Thanks

  You can see the OSI table..
  Also you can see Request History API.