Organization Admin control in OIM 11gR2

Similar Messages

• Configuring Access Control with OIM 11gR2

  Hi,
  I have to configure Access Control resource with OIM 11gR2. Kindly share relevant pointers.
  Best Regards,
  Varun

  I think this link will be Helpful
  22.5.1 Configuring Oracle Application Access Controls Governor
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/segduties.htm#OMDEV3394

• Pre-populate Organization to the self registration request in OIM 11gR2 PS1

  Hi All
  I want to know if there is a way to pre-populate Organization to the self registration request in OIM 11gR2 PS1.
  I am trying to configure auto approval and for that I need to add org to the request.
  Thanks

  Hi,
  you can look into the following post : https://forums.oracle.com/message/10830661
  Thanks

• OIM 11gR2 user not provisioning to Active Directory (11.1.1.5 connector)

  Hello all,
  I'm trying to set up an OIM 11gR2 instance to work with Active Directory with the Active Directory 11.1.1.5.0 connector. I've full installed both OIM and AD on separate servers, and I've installed the AD 11.1.1.5 connector on OIM. I have configured Active Directory properly (connector on OIM and the connector server on the AD server-side), and have set up the two IT Resources on OIM. I can run, for example, the Active Directory Organization Lookup Recon job and have it return results in the Lookup window.
  My problem is that I cannot get it to provision to a user. I've created an Application Instance and Form for Active Directory, attached the Form, associated them with the appropriate resources (AD User), and added them to the Catalog, and then gone through the process of adding an account to the user, selecting the Application Instance, adding it to the cart, checking out, filling out the fields (Password, User ID, UPN, First Name, Last Name, Common Name, and Organization Name), and then submitting the request. This is all done as the xelsysadm admin user, but it still results with the account stuck on "Provisioning" because the "Create User" task failed due to a Connector Error (the reason stated is just a repeat of "Create Object" failed).
  Anyone know what I'm missing here?
  Thank you!
  Edited by: 939908 on Nov 12, 2012 6:36 AM

  Hey 833249, thanks for your reply
  The organization field attribute is filled in correctly, in that the OU I selected exists in AD.
  These are the errors listed in the connector server log:
  +11/9/2012 9:07:07 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception occured during the creation of directory entry.+
  +11/9/2012 9:07:07 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception Message : Logon failure: unknown user name or bad password.+
  +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryUtils Method -> GetDirectoryEntry, Message -> Exception Stack Trace : at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)+
  at System.DirectoryServices.DirectoryEntry.Bind()
  at System.DirectoryServices.DirectoryEntry.get_NativeObject()
  at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.GetDirectoryEntry(String path, ActiveDirectoryConfiguration configuration) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1423
  +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Encountered Excetion: Unable to get the Directory Entry+
  +11/9/2012 9:07:08 PM <ERROR>: Class-> ActiveDirectoryConnector Method -> Create, Message -> Stack Trace: at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.GetDirectoryEntry(String path, ActiveDirectoryConfiguration configuration) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1456+
  at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryUtils.DirectoryEntryExists(String path) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryUtils.cs:line 1512
  at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 219
  ConnectorServer.exe Error: 0 : Org.IdentityConnectors.Framework.Common.Exceptions.ConnectorException: Unable to get the Directory Entry
  at Org.IdentityConnectors.ActiveDirectory.ActiveDirectoryConnector.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_oimcp\idc\bundles\dotnet\ActiveDirectory\ActiveDirectoryConnector\ActiveDirectoryConnector.cs:line 368
  at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.CreateImpl.Create(ObjectClass oclass, ICollection`1 attributes, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 388
  at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 244
  at ___proxy1.Create(ObjectClass , ICollection`1 , OperationOptions )
  at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 609
  I'm not sure why the username/password error could be occurring, as those fields in the AD IT Resource are correct (I've run AD recon jobs that have connected properly). Is there something I'm missing?

• Authorization Policy for Modify user in OIM 11gR2

  Hi Experts,
  Requirement: I want the users in particular org not to modify certain user attributes and users from other org should be allowed to modify user.
  I have created user1 whose organization is org1 and role is role1. I have also created user user2 under same org and same role. I assigned the Admin Role "User Administrator" role to user2.
  So If user2 from same org1 tries to modify certain attributes then OIM should throw error message. I have completed till this.
  But when the user from diff org say org2 with Admin Role "User Administrator" tries to modify user, OIM is not allowing to modify user which should not be the case.
  I want the Auth Policy to trigger only for Org1. I have specified the below condition for my custom policy in OES admin console but it is not triggering.
  The condition is
  IF ( OrclOIMTargetEntity = 'true' AND OrclOIMUserOrganizations = 'true' AND STRING_AT_LEAST_ONE_MEMBER_OF(OrclOIMUserOrganizations,['25','1000000']) = true )
  What am I missing?
  Any help is much appreciated.

  Hi
  Can anyone let me know the steps to restrict modify user operation for the users belonging to specific organization in OIM 11gR2. The condition which I specified under Authorization Policy in APM console is not triggering at all.
  Thanks!

• System Administrator role OIM 11gR2

  Hi experts,
  I am trying to figure out which table in OIM 11gR2 stores the information for roles assigned to the user.
  I am specifically looking for users who have system administrator role assigned. The way to assign is through organizations, but not sure which table stores it.
  Thanks
  Kunal Jain

  Below is table names and description used to obtain admin role and user information:
  ADMIN_ROLE  - stores information about admin roles available in system
  USR - user infromation
  ADMIN_ROLE_MEMBERSHIP  - USer and admin role mappings
  regards,
  GP

• Replicating the app functionality from OIM 10g to OIM 11gR2

  Hi,
  I have a resource object with an object form and a process form and approval, provisioning configured in OIM 10g design console. Provisioning is manual provisioning assigned to a particular group based on a task assignment adapter. For replicating the same in OIM 11gR2 i followed the following steps.
  1. Created a Resource object in Design console.
  2. Created a dummy IT Resource ( Since while creating app instance it is having IT Resource as Mandatory field. * Is there any way to skip this as i do not have any IT resource in my original app as it is going for manual provisioning?)*
  3. Created a process form in Design Console with the same fields as present in my 10g app process form.
  4. Now i need to Create an app instance and select the created resource object and IT resoource. Also i need to create a form associated with the app instance in which i will add the fields as present in the object form in my 10g app. ( Here i am not understanding how data will flow from object form to process form since there is no data flow mapping here)
  5. Other steps like creating the SOA composite with human tasks and deploying it and after that creating approval policies is pretty much clear.
  Please clarify whether the steps are correct and also the queries which i have posted in between. Thanks in advance.
  Regards,
  Durgaprasad
  Edited by: Durgaprasad on Jan 17, 2013 3:38 AM

  Thanks Gyanprakash. Wll disconnected resource trigger our custom approval process if we select the resource name properly in scope in operational level approval policy. Have you tried a disconnected resource with your custom approval process. Because i read the following lines in admin guide
  Oracle Identity Manager supports provisioning of disconnected resources by using the SOA worklist for manual provisioning of disconnected resources. After the role-based provisioning decision or SOA request approval is complete and the corresponding application instance is determined to be a disconnected application instance, a new SOA workflow is started. This new SOA workflow is assigned to the manual provisioning administrator.
  So i thought disconnected app instance will have its own approval process configured during the creation and it will route accordingly. So just wanted to clarify how to make disconnected app instance to trigger our approval. will approval policay take care of it as i am going to select the name of the disconnected app in the scope field.

• Help required for linking Organization Admin Roles to User Profile in R2

  Hi,
  We are using OIM 11.1.2.0 (Without any patch).
  Current Requirement:
  We have requirement to provide search capability to end users to search/see users of other Organizations in OIM.
  For example: I belong to Org1: UK, So OOTB OIM just support searching/viewing profile of UK Organization users. I can not search/view user info of Org2: Italy.
  To overcome this issue,Oracle has suggested us to add both the following roles in order to see user information of other organization.
  • User Viewer
  • Organization Viewer
  After just logged in using xelsysadm, I can able to assign Admin Roles of each organization to end users.
  We want some API info/ how to automate this assignment to Admin Roles(Which are available to Organization) to end users?
  We went through the APIs available for OIM 11.1.2.0, but could not find any API related to Admin Roles of OIM.
  Please suggest.
  Regards,
  J

  Hi,
  Has any one implemented this method?
  addAdminRoleMembership(oracle.iam.platform.authopss.vo.AdminRoleMembership membership) Add a admin role membership.
  Regards,
  J

• Request dataset in OIM 11gr2

  Hi Experts,
  I have integrated OIM 11gR2 with Siebel and able to provision by xelsysadm. My requirement is End User will be raising request for siebel resource and approval workflow associated with is triggered.
  1. End user raising the request is able to view the process form, I need to restrict few attributes i.e. position and responsiblity should not be visible to end user
  2. Position and Responsibility should be provided by approver (this is specified in request data set of provision resource)
  3. As per Oracle document there is no request data set for PROVISION and MODIFY resource. What is the replacement for this?
  4. After Request is raised it has been assgined to xelsysadm, how do i control the approval ?
  Regards
  A Abhinay

  1. End user raising the request is able to view the process form, I need to restrict few attributes i.e. position and responsiblity should not be visible to end userEnd user will see Application Instance Form and you can customize the UI to hide attributes
  2. Position and Responsibility should be provided by approver (this is specified in request data set of provision resource)
  Make your Java Code/Beans/Expression to show/hide attributes conditionally.
  3. As per Oracle document there is no request data set for PROVISION and MODIFY resource. What is the replacement for this?Application Instance Form
  4. After Request is raised it has been assgined to xelsysadm, how do i control the approval ?Approval Policies

• [ OIM 11gR2 PS1 ]How to add additional field on Application Instance Form ?

  Hi,
  In our scenario we have Disconnected applications in OIM. AI (Application Instance) form and PD editing is created by OIM.
  We want to add additional field in AI form.It is visible in back end. But,its not visible in OIM admin console for admin and as well for end user.
  Is there any property related to form field in AI ,where we need to make changes to make it visible ?
  Instance used is OIM 11gR2 PS1
  Thanks,
  RPB
  Edited by: RPB25 on May 29, 2013 9:46 PM

  I was able to resolve this issue . we need to click on "regenerate view".

• OIM 11gR2 Active Directory integration issue

  Hi,
  I am trying to install AD connector on OIM 11gR2 and have successfully performed all the necessary and relevant steps according to the deployment guide.
  When i am trying to test the connector though, by running the "Active Directory Organization Lookup Recon" scheduled job i am getting the following error:
  Exception Message oracle.iam.connectors.icfcommon.exceptions.Integration
  Exception: The value for a key [Host] is not defined in the provided map.
  Kindly help me out with this
  Best Regards,
  Varun

  Hi,
  i hope you are using the AD New connector(i.e. ICF based ) and your connector server key is not set properly. Most of the cases this is arises because of connector parameters. So verify the connector parameters and also have you put the AD connector jars on connector server side.
  _Saurabh                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           

• OIM 11gR2: API to modify accounts

  Hi all,
  I would like to develop an event handler for OIM 11gR2 to modify a user account (for example Active Directory account) if some conditions are satisfied.
  I looked for proper API in Java API Reference for Oracle Identity Manager and I found the interface ProvisioningService.
  I already developed an event handler for test purpose that gets and prints account details and it works.
  My question is: can you provide me an example to use the API to modify an account correctly please?
  Thanks in advance,
  Daniele

  Find the act_key for this new organization and then use the UserManager api to update the act_key for all the accounts.

• How to raise create role request in OIM 11gR2?

  How can I let a user to raise a create role request in OIM 11gR2?
  If I assigned the Role Viewer or Role Authorizer admin role to the user, the create button for role is disabled.
  If I assign the user as Role Administrator, the role will be directly created without raising any request.
  If I assign the user as SPML Admin, the create button is enabled, but after filling the form and clicking the "save" button, an exception will be thrown saying "IAM-3054100 : The logged-in user AA10127 does not have createRole permission on Role entity."

  Hi,
  i have changed identity page logo by using customize option, But in sysadmin page there no such option, is it possible to change image same as identity console.

• OIM 11gR2 : Problem while starting managed server

  Hello Experts,
  I ran config.sh in order to extend my schema to include APM (Authorization Policy Manager) in OIM 11gR2.
  After that i took a restart of the servers. When i am trying to start the managed servers they're not starting in the RUNNING mode. Instead they're starting in the ADMIN mode.
  The logs are showing the following error :
  Internal Exception: java.sql.SQLException: Listener refused the connection with the following error:
  ORA-12505, TNS:listener does not currently know of SID given in connect descriptor
  Kindly help me out.

  1. yes you can check if the nodemanage is running using the following ways.
  For linux env:-
  a. Check if the JAVA process for nodemanager is running ps -ef | grep java and see the nodemanager process else /usr/sbin/lsof -i:$port (port of nodemanager).
  b. Login to Admin Console --> Environment --> Machines --> Click on Machines --> Nodemanager --> Monitoring will give you nodemanager status from Admin console.
  c. use nm() command with WLST
  Example:
  wls:/mydomain/serverConfig> nm()
  Currently connected to Node Manager that is monitoring the domain "mydomain"
  wls:/mydomain/serverConfig> nm()
  Not connected to any Node Manager
  wls:/mydomain/serverConfig>
  To see if WLST connects to nodemanager or not?
  help('nmLog') --> to check the nm logs
  2. To start the nodemanager using WLST here are the commands
  Example:
  For single managed Server
  wls:/mydomain/serverConfig> start('myserver', 'Server', block='false')
  Starting server 'myserver' ...
  The server 'myserver' started successfully.
  wls:/mydomain/serverConfig>
  For Cluster
  wls:/mydomain/serverConfig> start('mycluster', 'Cluster')
  Starting the following servers in Cluster, mycluster: MS1, MS2, MS3...
  All servers in the cluster mycluster are started successfully.
  wls:/mydomain/serverConfig>

• Configuring ACF2 connector with OIM 11gR2

  Hi Experts,
  I am working on configuring ACF2 connector with OIM 11gr2, In an intermediatory step we need to copy VOYAGER_ID.properties file. The comment against this file is written as: Rename VOYAGER_ID with the name "Voyager server's VOYAGER_ID control file property".
  Can anybody please tell what does this actually mean?
  thanks

  Rename the copied file to match the VOYAGER_ID property. For example, if the target system has VOYAGER_ID = VOYAGE14, then the .properties file should be named VOYAGE14.properties.
  The Voyager reconciliation agent sends a unique identifier value, called VOYAGER_ID, each time a reconciliation event occurs. This value must match the name of the .properties file being used by the topsecret-adv-agent-recon.jar file for reconciliation.