OIM to Multiple OIM

Similar Messages

• How to provision multiple AD Accounts to a single User Profile in OIM

  Hi,
  We are using OIM 11g R2. We have implemented AD Provisioning/Reconciliation using Active Directory 11g Connector.
  The correlation rule for linking AD accounts with OIM during target recon is set as “Email ID”
  We have some business requirement where we want to provision multiple AD Accounts to a single User Profile in OIM.
  Issue we are facing:
  Suppose we have USERID1 in OIM which has email id as USERID1@ XYZ.COM .
  After that we have provisioned sAMAccountName=USERID1 (Email ID as USERID1@ XYZ.COM )& sAMAccountName=USERID2 (Email ID as [email protected]) to the user User Login = USERID1 in OIM.
  Both the AD User accounts can be seen as provisioned.
  After we run the AD Target Recon, the target recon is failing because of “Multiple Process Matches Found” issue.
  Question here is:
  Is it possible to maintain/manage multiple AD Accounts (Same AD is used for all the multiple AD Accounts) to a single OIM profile user ?
  Regards,
  J

  Hi,
  We have seen its working and linking multiple accounts when we have Key field as "User ID" in the Process Defn & RO and the recon matching rule has email ID as the matching rule.
  Please suggest, if we are having the above kind of rule/config...will it not cause any issue?
  Regards,
  J

• How can HelpDesk manage users in multiple Organizations in OIM R2

  Hi All,
  I looking to satisfy a requirement for OIM 11g R2 where a helpdesk administrator can only manage users that belong to a particular institution. However, there are approximately 50% of users that belong to more than one institution, where helpdesk staff from each institution should be able to manage the user. Customer is currently
  doing this in Waveset by assigning users to orgs dynamically through rules which allows multiple virtual orgs. OIM unfortunately has no way to assign a user to multiple orgs, making OOTB authorization management very difficult.
  How can a administrators from different org manage same User. If that user belongs to different org?
  How to achieve this in OIM R2?
  Thanks
  Akshat

  Hi Adr,
  I know the OIM Authorization is around the Organization, and a user can present in only one org in OIM.
  I wanted to know, can we force the authorization based on Department/Institutions rather than Org. I am thinking in reagards of OES Authorization policies.
  OIM unfortunately has no way to assign a user to multiple orgs, making OOTB authorization management slightly difficult.
  I am looking to determine the best approach to accommodate this requirement. Due to the high number of users that reside within multiple institutions, leveraging organizations will not work. Asa far i know OES APM should be able to accommodate this, but could not find any solid guidance in the Oracle training or Oracle by Example documentation.
  Any thoughts?
  -Ak

• OIM 11g - Mail Notification for multiple resources

  User will be provisioned to 5 target system through access policies.So instead of sending 5 different mail notifications to the manager on the Create User task about the account creation, is it possible to send one consolidated mail about the provisioned resources in OIM 11g.

  Hi,
  How abt for the following requirement for sending single mail for multiple resources provisioned.
  We have 3 Access Policies which is defined as follows.
  1) Policy 1 -> R1,R2,R3 Resources
  2) Policy 2 -> R3,R5 Resources
  3) Policy 3 -> R1,R4 Resources
  In such a case we will not be able to put dependencies on Resources and adding a task for sending email.

• OIM 11g r2 disabling multiple account provisioning

  Hello all,
  I have a question, in oim 10g and 11g, on resource object there was a "allow multiple" checkbox.
  So you could configure your resource if you want to prevent it from multiple provisioning.
  But in 11gr2 I cannot see that checkbox.
  How can i configure my resource as it is going to disable multiple account provisioning?

  Is there anyone who can help?

• Multiple user entities in OIM?

  Hi, everyone,
  Just getting my feet wet with OIM 11g, and I have a situation where I need different categories of users to have different user attributes associated with them. The Oracle docs don't seem to tell me how to set this up. Can I define more than one user entity, each with its own set of attributes?
  Thanks,
  - Ariel Anderson, Senior Business Analyst

  OIM uses a single user entity unlike some other IDM products (i.e. IBM TIM).
  There really isn't any easy way to handle multiple entities. You could get some functionality by using different organizations and you could add UDFs to the user form that you could interpret differently in your business logic. You could also use custom resource objects to contain this kind of information.
  Best regards
  /Martin

• Multiple email address in OIM 11g

  Hi All,
  I have to store multiple email addresses of the users while creating users in OIM.
  For this one approach would be to define user defined fields which will store the value of alternate email Ids. But while configuring email notifications, how can I use the values of alternate email Id? Or do I have to use some other approach?
  Thanks,
  Amruta

  How are you sending the email notifications out? I don't think there is any way to configure OIM to use the UDF values as email addresses when you are sending notifications from OOTB code/objects. If you are using your own code to send notifications then you can handle the same.
  -Bikash

• [OIM] Automate AD provisioning with multiple custom rules.

  I am working on setting up provisioning automation and I'm very confused about the best way to do it.
  I need to have OIM do the following when creating an Active Directory Account
  If the user is an employee put them in container X
  if they are a contractor put them in container Y
  If they are a warehouse worker, do not give them an account
  If they are in NY, give them an account with group A
  if they are in Denver, give them group B
  and so on
  So I need to have multiple rules checked and for certain fields to get certain things based on which rules are true. Do I need separate groups and Access policies for each rule?
  Is there a way to make one collection of rules with multiple outcomes leading to multiple mappings?
  rkimbal45
  Edited by: rkimball on Jul 27, 2010 4:19 PM

  Great question but unfortunately there is no straight answer.
  Exactly what you can and should do varies depends on what tradeoffs you are ready to make in your configuration. It is very hard to give a condensed and straight answer that covers all possible configurations and gives you an overview of pros and cons.
  I wrote up a paper on this a while ago that discusses this issue at quite some length. I am posting the excerpt that discusses this specific point below but it really helps if you have the rest of the context in the document.
  Feel free to contact me through linked if you want a copy of the doc.
  Hope this helps
  /Martin
  Role based group memberships
  In some cases you have a requirement that users who fit a certain profile should be given a certain target system role. One common example would be that employees should be added to the employee group and contractors should be added to the contractor group. OIM supports this scenario through the rule, group and access policy system.
  A rule lets you specify that a user that fits a certain profile (i.e. whose userType attribute on the user form is “employee”) should become a member of a certain group. The group membership in turn triggers execution of an access policy. The policy specifies that the user should be given a certain resource object with specific configuration of process form and child form. This in turn can trigger a target system group membership update.
  This works great as long as the specifications for the rules are simple and doesn’t require usage of wildcards. If you have more advanced requirements, i.e. users with department 6200-6500 excluding 6345 should go in this group, you will end up with a lot of rules (299 to be exact). Likewise if you have more advanced requirements around what target system memberships should be given you end up with a lot of access policies. Even if you manage to implement this you can easily end up in a management nightmare with hundreds or even thousands of rules, groups and access policies.
  Another weakness is that access policies can only be used to grant one instance of a specific resource object to a specific user. This is often a crippling limitation.
  One way to escape the limitations of the rules is to use entity adapters attached on insert and update on the user form. This makes it possible to replace large number of explicit rules with a single logical expression. The downside is that the business logic is now defined in code rather than configuration. You could of course write code that loads configuration from a text file, a lookup table or an XML file but that only takes you so far.
  Likewise you can replace the access policies with entity adapters that gives out ROs according to business rules defined in the code. Eliminates some of the limitations but makes the system harder to implement and manage.

• Not able to create request for multiple user in oim 11gr2

  Hi,
  I am trying to assign a resource to multiple user using oim identity console as System Administrator.
  But when i am assigning the resource to multiple user its taking the same value for both the users.
  Please let me know how to add the different value for different users.
  Thanks

  That's the rules of how it works.  A request has 1 request form per resource for all users on the request.  Those fields must all be marked as available in bulk as well to be viewed if you have more than 1 user on the request.  If you need to provide different values based on the user, your best option is pre-populate adapters on the process form and use logic to populate the fields.  You will not be able to manually provide different values during the request.
  -Kevin

• OIM AD reverse password sync from one AD instance to multiple OIM instances

  Hi All,
  I have a followind scenario. My client is having multiple offices across the globe. They have OIM installed and configured in each location in each country to manage there local applications. Client also has a Global LDAP which is common across all the offices worldwide.
  My requirement is then i need to setup reverse password sync from Global LDAP to all the OIM sysem across the Globe. As per the reverse password sync connector i can only define one OIM system to sync the password.
  Can you please suggest me some way to achieve this functionality? Is it possible to install more than one password sync connector and configure them with different OIM systems?
  Thanks
  Yogesh

  I have one AD instance and n OIM instances. Can i install multiple AD-OIM passwordd sync components on the same AD machine and configure each component with various OIM's?

• Multiple self-registration pages in OIM 11gR2 PS1

  Hi All
  I have a requirement to implement multiple self-registration pages in OIM 11gR2 PS1. Has anybody faced such requirement before.
  Any pointers will be highly appreciated.
  Thanks

  Hi,
  Basically i need some more information about your use case.
  Can you please elaborate the use case. What actually you want to do  by having multiple self-registration pages

• Storing multiple PeopleSoft Job Codes and Departments in OIM

  Hello,
  We are trying to set up the PeopleSoft ER connector for OIM but it seems that OIM is not able to properly receive all the data that PeopleSoft sends it. In PeopleSoft, a lot of people have multiple Job Codes and Departments. When PeopleSoft sends WORKFORCE_SYNC messages, OIM receives all of them, but discards everything but the last Job Code and Department it receives. This behavior is not surprising since OIM only has a single field for the Job Code and a single field for the Department. We would like to store all Job Codes and Departments, but are not really sure how to address this issue.
  Has any of you encountered this problem and solved it?
  Thanks,
  --jtellier                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

  This error is appearing as requires "jrf-api.jar" to be present in its CLASSPATH.
  Check if both following jars are present in CLASSPATH
  wlfullclent.jar
  oimclent.jar
  If not resolved-
  A simple workaround to fix the issue is:
  Add following jarfile to CLASSPATH property
  $MW_HOME/oracle_common/modules/oracle.jrf_11.1.1/jrf-api.jar
  where MW_HOME is the Middleware Home of FMW target .

• Connection between multiple domains of AD and OIM

  I am trying to integrate OIM and AD (target resource) and I have 13 domains in AD. For one domain, connection between AD and OIM is established using OOTB connector.
  Can someone provide me approach for connection between multiple domains of AD and OIM.
  Do I need to install different connector server for different domains or OIM provides with some Connector Server cloning feature.

  Hi,
  this forum is for asking and answering JDeveloper and ADF related question. Your question should be asked to the FMW security forum here on OTN
  Frank

• OIM provisioning to Multiple Domain Controllers of a single Domain

  Hi experts !
  Our client has offices in different parts of country and they are using MS AD. We have to integrated this AD with OIM. The issue we are facing is that there is a cluster of domain controllers (DC) at each location for example NewYork, Dallas and Ohio and OIM is being deployed in NY. All the DC at all location are part of a single domain "example.com" and they is no child domain.
  Now if a User Administrator in Ohio logs in to this central OIM online and creates / modifies user profile of a user in AD, it means that the OIM will create / update the user profile in the DC placed in NY and through AD replication, it will be pushed to Ohio.
  As the communication between few sites is not reliable, thus managers at these locations will have to bear the delays if the replication between DCs takes time even when they have modified the resource profile in OIM.
  Is it a possibility that the user administrator at location A, when modifies the user resource profile, the modifications is carried out in the DC of location A? for example, if the administrator in Ohio logs in, whenever, he changes the profile, OIM modifies the profile in DC placed at Ohio?
  I have gone through "Configuring the Connector for Multiple Installations of the Target System" in MS AD connector Documentation but i am uncertain whether this "target system" means DC of same domain or different child domains?
  Any help / idea would be really appreciated.
  Best Regards.
  Edited by: Zia on May 8, 2011 11:21 PM
  Edited by: Zia on May 8, 2011 11:22 PM

  thank you for your reply sir
  initially i was of the idea to place OIM servers at each location with DB at a central point. However, there are more than a dozen such locations! have you come accross any such scenario where more than 12 machines running OIM at different places point to a central DB? i was a bit reluctant in proposing such design due to network instability. So we decided to deploy OIM at a single location in cluster mode and admins at each location will access this single instance (cluster) over the WAN. This cluster will populate domain controller at this specific location and will be replicated through AD replication.
  But now the analysis team has pointed out the problem scenario as i have mentioned in my earlier post. so we are in a bit fix how to handle this situation :-s

• OIM 9.x is showing multiple requests for unique request under pending appro

  Hi OIM Guru,
  We are using oim 9.x and seeing multilple entries for single request id under pending approval page.
  Support request id is 100 and once you go to pending approval page :-
  you will be able to multiple entries for request id 100. (Hope i am clear enough on this front.)
  any idea on this front ?
  What could be the possible reason for it?

  What is the BP that you are using? there is a bug related of this issue. Please update your OIM to latest BP and let me know.
  I hope this helps,
  Thiago Leoncio

• OIM 11g R2 PS1 error in App instances page due to multiple prcoess forms for a single RO

    By mistake I attached two process definitions to a single resource object (RO) and it in turn mapped two process forms to the single resource object.
  Now when I go to application instances page and do a searc, it shows the below error in the UI
  IAM-4067027 : An error occurred in findAppInstances and the cause of error is An error occurred in getParentFormInfo and the cause of error is Multiple process forms exist for Test_Emp_RO.. 
  I tried to assign a different RO and Form to the second process def in teh design console, but it throws SDK update failure error. How to resolve this error?  Any inputs are appreciated.

  Check the for duplicacy in OBJ_KEY column of the process defination. If duplicate values exit then set them to 'null'  and commit. Restart OIM if required