OIM - Suspend user based on criteria

I want to disable a user based on some criteria(say one of the profile attribute value changes to false) configured.
Say one of the attributes of a user changes and due to this change user should be disabled from accessing any of the resources or may be only one of the resources which he is provisioned to?
Does any one have any idea how this can be achieved?

This could be accomplished through access policies and denying access based on group membership to certain resources.
You could possibly create a process update trigger for that field on the Xellerate User process that when that field is modified, it checks the new value of the field to see if it matches your ruleset to be disabled for, and then update the USR_STATUS to be Inactive/Disabled (whichever is the value when disabled) which might in turn trigger the disable action against all their other resources.
Without testing, this is just an idea that might work.
-Kevin

Similar Messages

  • Expire OIM User based on End Date

    This is a query on expiring an OIM User based on end date.
    Does OIM need any configuration for it to expire the user based upon end date?
    The start date seems to work well as expected but the end date doesn't.
    Even after the end date has arrived the OIM User is not being expired.He is still able
    to login into OIM without any issues.
    Thank you

    Theres a scheduler task that has to be run to check the date and deactivate the users.

  • OIM - Email notification to a specific user based on a dynamic rule

    Hello, After creation of account in a particular target resource I need to send an email to a specific user based on the location of the user (e.g area admin).
    In the notification tab of process tasks, I see only "Assignee", "Requestor", "User", "User Manager"? How can I achive the above specified requirement?
    Before posting this question, I tried to search the forum for any previous posts related to this. But I couldn't find any. May be I was not searching with right key words.
    Any help is appreciated. Thanks in advance.

    You'll need to custom code an adapter to send the email, then you can send to any user you want. Create a new task and trigger it off the completion response code. You can use the following apis:
    tcEmailNotificationUtil sendMail = new tcEmailNotificationUtil(ioDatabase);
    sendMail.setBody("Type your body here or use a string variable");
    sendMail.setSubject("Type your subject here or use a string variable");
    sendMail.setFromAddress("[email protected]");
    sendMail.sendEmail("[email protected]");
    Just populate the above pieces with the information needed.
    -Kevin

  • Automatically Assign to user based on email

    Hi Guys
    One of our IT managers would like to be able to have service requests automatically assigned to members of his team based on emails he sends.
    At the moment we have an exchange connector set up that logs Service Requests for his team, and assigns it to the their support group. I'm trying to figure out the best way to further refine it to then assign it to a support person based on some criteria
    within the email itself. The way i figure it, I'll need to to do it via Orchestrator. 
    I'm thinking something like:
    Email generated Service Request triggers a runbook, that either pulls the email attachment out of the SR and then does (something) to resolve the AD User from the CC field and assigns it to that person. Then he can just CC the team member and it will assign
    it. The hard bit is figuring out how to resolve an AD user from a field in a *.eml file. 
    or
    He types the AD name of the user on say line 1 of the email, then orchestrator reads that line and looks up the AD user based on that. Seems easy enough but then he will need to make sure he uses either the absolutely correct spelling of their name, or type
    their SAMAccountName out. 
    By email CC field is the more user friendly option but I have no idea if that's even possible.
    Does anyone have any thoughts about how to go about this?
    Cheers

    OK so he has changed his request now after I spoke to him.
    He now wants any emailed service request to be automatically assigned to the sender.
    So basically I need to create a runbook to set the Assigned To user to be the same as the Affected User.
    Sounded easy enough, but the "assigned to" field is not present in the orchestrator update object action. I think this is now a question for the Orchestrator forum so i'll mark this off and start a new thread there.
    Thanks.

  • OIM as user management

    Hi All,
    I am using OIM as user management for managing target systems AD and Oracle database.
    I have some common fields like email and telephone number for both the accounts of AD and database.
    When I get a request for creating account in AD (with set of attributes which include email and telephone number) in the form of feed, first I need to find out if already user is present in OIM with the given email and telephone number that present in given feed, if exist I just need to go and create account in AD if not I need to first create a user then provision that user to AD.
    Can any one explain how to achieve this in OIM and I need all this to be performing automatically, I will get account creation request in the form of feed.
    Regards,
    Poorna

    You have written
    When I get a request for creating account in AD (with set of attributes which include email and telephone number) in the form of feed, first I need to find out if already user is present in OIM with the given email and telephone number that present in given feed, if exist I just need to go and create account in AD if not I need to first create a user then provision that user to AD.+
    I have confusion in your requirement.
    From where you are getting request for AD. And if it doesn't present in OIM then you'll have to first create that user in OIM then provision to AD.
    Just create an entity adapter and attach with User Form which will validate that any user with given email and number ia already present in USR table or not. If no then it will create the user in OIM otherwise it will throw error.
    And you can create one group and move that user into that group using some rule realated to your requirement and put access policy on that group.
    otherwise you can put accee policy on All User group too if it doesn't affect your other functionality..
    Re: Auto provision based on rule

  • User based uninstall collections - Dynamic

    Hi Guys,
    I have been looking for sometime at how User based uninstalls are done and I see that mostly people do an Exclude on the collection and deploy an uninstall to basically everyone who DOESNT have the application deployed to them. The issue with this is
    if you have a high number of apps (500 lets say) you deploy 400 either uninstall or install deployments to everyone which dramatically slows down deployment of apps on new machines etc.
    With APP-V the queries are fairly straight forward and we have dynamically changing uninstall collections that only show users that have the app for them in a compliant state on a workstation in the estate, when they are fully unpublished they drop
    out of the collection based on compliance state.
    I am trying to achieve the same method for uninstall collections where physical installs are used. Unfortunately there isn't a class like the APP-V AppClientState for Physical apps, or from what I can see at least and just wanted to see if anyone had
    achieved uninstall collection for physical apps in a more dynamic way than doing Include/Exclude on the collections which I see as very static and uneconomical.
    Many thanks,
    Adam

    Hi Hican, Torsten,
    Thanks both for your replies. below is the query i have used. I'll just be clear that this may not suit a lot of environments because of users moving around etc.
    select SMS_R_USER.ResourceID,SMS_R_USER.ResourceType,SMS_R_USER.Name,SMS_R_USER.UniqueUserName,SMS_R_USER.WindowsNTDomain from SMS_R_User where uniqueusername in (select distinct SMS_G_System_SYSTEM_CONSOLE_USAGE.TopConsoleUser from SMS_G_System_ADD_REMOVE_PROGRAMS INNER JOIN SMS_G_System_SYSTEM_CONSOLE_USAGE ON SMS_G_System_SYSTEM_CONSOLE_USAGE.ResourceID=SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID WHERE SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = '<ARP DISPLAYNAME>' and TopConsoleUser not in (Select SMSID From SMS_CM_RES_COLL_XXXXXXX))
    This query basically finds all workstations with a specific Display name in ARP, it then looks at the topconsoleuser in the SystemConsoleUsage class for that workstation. The User resource is then pulled back based on that username and the uninstall is deployed
    to the user alongside the install.
    When the machine tied to that user no longer has that software installed the user drops out of the collection. I have these collections scheduled to do an update overnight at random intervals.
    You will note at the end i use a "NOT IN" clause so i can exlude specific accounts from being included in the uninstall collections. The reason for this is we have a couple of service accounts that gets used heavily in various places
    and end up getting registered as the top consoleuser in some instances. This is put in as a safeguard.
    the only bits in the query that change is the <DisplayName> section which is what gets added in ARP.
    SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName = '<ARP DISPLAYNAME>'
    Again you need to be careful here as a program may have the same displayname as another if it hasnt been versioned correctly. in this case it may be better to use another attribute such and Product GUID.
    Lastly if you choose to have an exclude collection like myself the collection Class will also need amending:
    and TopConsoleUser not in (Select SMSID From SMS_CM_RES_COLL_XXXXXXX)
    Somone may say there is an issue with doing it this way. obviously if users roam a lot you could end up stripping software off peoples machines which is why i say it may not suit some environments but this goes quite well where we are.
    Some users may also not show if they are not yet registered as the TopConsoleUser of their workstation yet as this is a 3 month calculation (if i remember rightly). If this is being put in with a new not yet deployed app it looks clean from a returned list
    of users standpoint, if however you have an estate where applications have never been unstalled and workstations have changed hands, initially you will see a lot of users in the uninstall collections which werent in the install. These applications will uninstall
    for them and they will drop out of the collections.
    Hican, like i said adding the software metering part in to the above query could prove even more economical as the uninstall deployment wouldn't actually be deployed if the software was active. If i get a chance i will look at this.
    Hopefully the above makes sense, obviously this is just my take on how to do some uninstall collections and if somone decides to try it they are doing so at their own risk. retrofitting uninstalls is painful and risky.
    Thanks,
    Adam

  • Assign Task to a specific user based on the value of DDL from the form

    Hello,
    Can any one please advise me on how to assign a task to a specific user based on the value of the drop down list from the form. E.g. user fills the form and before they submit the form they have to select one of the name from the drop down list so the form can go to that person for approval.
    Thanks in advance,
    Han

    I got it works now by using the xpath expression (in workbench) to assign to the selected user from the DDL in the form.

  • In search of end user based forums

    in search of end user based forums
    Any one know of SAP website for (expert) end user Q/A   ?
    Development is fun and all, but when I need A break from the 011001101000100110100 where do I go?

    Interesting question.
    You could try the forum or even [Scripting Languages|/community [original link is broken]; here on SDN to get closer to the front end, but I guess the "expert level" would need to be quite advanced before an end user spends more than just a careless mouse-click there.
    Otherwise there is the [SAP Design Guild|http://www.sapdesignguild.org] which has a lot of interesting things about the UI. However they closed their forums because of spam, and now point to . Downside: Not much action going on. Upside: You could become top contributor and will a free entry to SDN Community Day with just one post.
    Another option worth taking a look through is the [BPX category|/community [original link is broken]; where you might find some .ppt programmers hanging out.
    Cheers,
    Julius

  • Shared Calendars / Room Lists and automatically forcing them to users based on Security Group Membership

    Good morning all,
    I need some help achieving the following in our Exchange 2013 Environment.  First off, we have Exchange 2013, but all our clients have Outlook 2010.
    Here's what I would like to be able to do:
    1) create/manage public calendars / rooms in exchange 2013
    2) force these shared public calendars / rooms to users' calendars who are members of particular security groups
    3) give edit permissions / "booking" permissions for the shared calendars so select users are able to make changes to the shared calendars, as well as accept/deny requests to "book" shared room calendars
    Any one got any resources they can give to point me in the right direction?
    I have already created two mailbox room resources, and have them set up in a room list in AD.  But need to know the above as far as creating a shared calendar for events, and forcing these calendars / room lists out to users based on security group
    membership.
    I don't want my users to have to know how to add a shared calendar...that would be a nightmare explaining.  I just want it to show up.
    Any help on this is greatly appreciated, thank you!

    1) I recommend using Room Mailboxes for resource calendars because it just works better.
    2) This is a standard feature of a Room Mailbox.
    3) You're pretty specific here, but I think this is also more or less available with a Room Mailbox combined with folder rights.
    I don't know any way to just make them "show up".  You'll have to teach them.  Well written instructions can work wonders.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

  • How to do data level security on users based on region

    Hello guys
    I currently have created a report with dashboard prompt on column "state" with a default value "CA"
    Now, the requirement is to perform data level security on this report, so different users based out of different state will log in to the dashboard and this prompt will change its default value accordingly so the user will have the report on only users home state prompted, and users can't see other state data..
    I have thought of creating session variables to achieve the same, but how should i set up the initialization string?
    Do I need to create a new table called "user table" that stores username/password and state columns and make that user table join to the fact table in the db?
    If so, how should I configure the session value so that users get filtered date based on its state location?
    PLease provide guidance
    Thanks

    Here’s an idea off the top of my head (untested):
    First, set up your security constraints normally using Manage…Security in the Administration Tool, so that each user can only see his/her state. Refer to the previous responses to this post for guidelines.
    Then, in your dashboard prompt, for the “Default Value”, write a tiny bit of logical SQL to query the “state” column from the presentation layer. If your security constraints are properly in place, the SQL should only return one value.
    To get an idea of what the logical SQL should look like, select “All Values” as the default value, then switch it to ‘SQL Results’. That will show you the basic format of the logical SQL. It’s really just normal SQL (select <this> from <that> where <the other>), but referring to presentation layer objects rather than to physical tables and columns.
    Untested. Please reply back and let us know how it goes.

  • Select records based on criteria and update those records once read

    hi,
    I am very new to bpel and DB adapters.
    I have a requirement where in I need to query two tables to fetch some records and update these selected records with a new value for field to indicate that bpel has processed these records.
    Once I select these I needs the output to be mapped to the output variable.
    I am able to select the records based on criteria , but how will i lock these records so that these records do not get processed again. This should be a very simple usecase just that I am not aware.
    Thanks,
    Robin

    Once you have finished reading the records fire an update query , update some field in the table so that it does not get picked up next time.
    if you are using polling for picking up the records, then use logical delete scenario, refer....http://docs.oracle.com/cd/E15523_01/integration.1111/e10231/adptr_db.htm#BABEEBIH

  • User Based Security in Power BI (Power Pivot / Power View)

    I am looking for a way to implement User based security (based on user access needs to restrict data) for my Power BI reports. Is there any way implement this kind of security. We have this support in traditional OLAP cube by creating roles and manage them
    at different dimensional data.
    Any help would be highly appreciated.

    Hello,
    You want to implement this functionality using the Power BI Preview or using the Power BI reports integrated in an application?
    Hugs!
    Bruno Destro
    Dicas de programação em .net, C# e SQL - http://smcode.com.br/blog.aspx

  • While Filling-up setup tables how to lock users & Suspend user

    Hi Friends & Experts,
    I am going to Run Set-up tables in my BI Production servers as Application wise for example..SD, MM, PP, QM, & Invetary.
    So I want to tell to client kindly lock users & suspend users  to stop document postings.
    How to tell this to clients this situation. pls do suggest on this.
    Siri

    Hi Friends thank you for your quick response...
    Is there any Particular T.Codes as Application wise..E.g: PP, MM, SD, QM. Inventary.. to Lock instead of Lock SM01.
    Because if we lock SM01 All T.codes are going to Lock. I think It's not advisable.
    Pls Suggest me as soon as possible.
    Siri

  • User based authorization to create Purchase Orders out of Purchase Req.?

    Hello,
    I have the following requiment for my client:
    User based authorization to create Purchase Orders out of Purchase Req.?
    I am told the same can be achieved using same standard menu path in IMG/Customizing.
    Please advise with the menu path and detials, Usefull answers will be rewarded.
    Thanks

    Using OMET Function Authorization, you can restrict users to create Purchase orders without Purchase Reqn.
    Using OMET trxn code Create one Function Authorixation Called pr and in General Parameters tab Select the Field Selection and in Possible reference Objects Tab Mark the With ref to Prs check box and save.
    Next, you've got to associate via SU01 
    Click Parameters, insert a new parameter id EFB to the authorization code. 
    Type in Parameters value you want e.g. XX 
    You have to assign the control for ALL the SAP buyers via thier SAP users id.
    Logoff and login again. Then try to create a Purchase Order without a reference.
    From Next time whenever you try to create with out referring PR it will not allow you to Save PO.
    Regards,
    Ashok

  • So Can I determine the business partners linked to user based on the assigned role and org. structure?

    Hello, I am working on a SAP CRM 7 Sales implementation and we are implementing leads and opportunity scenarios. The current business organization model is that there multiple vertical and horizontal departments. This is typical matrix structure. This organization has done the segregation of its clients based on the verticals so every clients belongs to at least one or more Vertical department but Horizontal departments can contact all the clients. In the same way sales executives are also either belonging to one or more Verticals or Horizontal departments? Horizontal sales executive can create leads for any clients available in the system but a Vertical sales executive can only create lead only for the client belongs to his vertical and assigned to him. This can be achieved by creating organization structure and business partner relationship.
    Now the problem statement is that few sales executives need work for both some Verticals and Horizontals at the same time. But requirement is that they should be able to do the both roles with single user id but multiple roles. So when sales executive is creating leads his vertical department, he should only be able to select clients assigned to his Vertical only but when he is creating lead for Horizontal department, he should be able to select any clients.
    So Can I determine the business partners linked to user based on the assigned role and org. structure?
    Please let me know if this is not clear also  note we are only using CRM WebUI no SAP ePortal.
    Thanks a lot your help in advance.
    Regards
    Sudesh Sharma

    Thanks, Tahir
    my problem has solved
    Kind Regards,
    Faisal

Maybe you are looking for

  • Automatic Checkpoint Tuning in Oracle 10g

    Hi , How to confirm if the database has been configured for automatic checkpoint tuning...???? Many thanks... Sim

  • Upgrading from 8.5 to 11

    Hello, The company I am working at has a large number of reports that have been created using CR 8.5. Due to a planned upgrade of the ERP system, CR needs to be upgraded to CR 11. Will the reports that have been created seamlessly work with CR 11 or

  • Create Scheduled Task in GPOPref using System account - issue

    Hi all, I'm trying to create a scheduled task (computer configuration) in GPOPref which is executed by the system account. Creating locally and running the task manually is running without issues. When I'm creating the task in a GPOPref using a domai

  • Implementing GNU Radio "tagged streams" in LabView

    GNU Radio has a neat feature that allows you to "tag" a certain sample in your data stream that can be used to flag or signal action in future processing steps.  For example, within an array of data, I could look for a certain marker/sequence/code, a

  • New mac does not inherit old time machine backups

    I used Setup Assistant to move files from my Time Machine backup to a new Mac.  However, when I started Time Machine on the new Mac, it started creating an entirely new backup rather than inheriting the old one.  Any help?