Organizational Unit Synchronization & User Movement  with Active Direct

Similar Messages

• How to unassign(delete assign) Organization Unit to User?

  How to <b>Unassign Organization Unit to User</b>? Is there any furnction module to do this ? <b>What are the function modules to update org unit of the user & to update the attributes of the user</b>? Update org unit means we have to delete & recreate org unit or else directly to update org unit of User any function module existed? Please help me out asap. Thanks in advance.
  Thanks & Regards,
  Nagaraju Maddi

  Hi Cardo,
  I am developing a function module. In that one I have to write the code for the below case.
  Suppose user was assigned to 'XYZ' organization unit. Now I want to change his organization unit as 'ABC'. How to handle this programetically? Later I have to update that user attributes. I think now u understand my requirement. Please help me out.
  Regards,
  Nagaraju Maddi

• Sync of user data with Active Directory

  I would like to connect the Active Directory with our SAP 4.6C system. Goal is to synchronize the user data (address, company, department,...) of AD with SAP user data, so we would only have to maintain this kind of data in the AD.
  Can anyone give me some hints on how that can be done? (LDAP connector? SAP connect?) I did find a lot of information on connecting SAP to Exchange in order to send mails via SAP, but that is not what I am looking for.
  Best regards
  Martin

  Hi Martin,
  if you haven't done yet please visit
  http://help.sap.com/saphelp_webas610/helpdata/en/e6/0bfa3823e5d841e10000000a11402f/frameset.htm
  At
  http://www.computerservice-wolf.com/schulung/was-ldap-search.html
  there is a description (unfortunaly in german and for Release 4.7) how to realise an access from sap to ldap.
  Perhaps it gives you some hints.
  Regards
  Bernd
  Message was edited by:
          Bernd Köhn

• User registration with activation code

  Good day folks :)
  I've been lurking around these forums for a long time and learning a lot, but it seems I've encountered a problem I can't yet find a suitable solution to.
  I'm a student and I'm rather new to apex. There are things I've been able to do (even use some jQuery... The names 'Patrick' 'Dan' and 'Tom' immediately come to mind so thank you!) with the help of this forum but some things are really out of my reach. To get to the point, I have an application where I'd like to register users but first they need to click a link of some sort they'd receive by email that activates their account.
  There are three types of user - 'ADM' (an administrator) 'AUT' (as in author) and 'STU' (as in student). Students should be able to register their accounts directly, and that's where the trouble lies.
  Before I describe the process, the structure of my 'users' table is like this:
  CREATE TABLE "USERS"
  (     "USERID" NUMBER NOT NULL ENABLE,
       "USERNAME" VARCHAR2(50) NOT NULL ENABLE,
       "PASSWORD" VARCHAR2(100) NOT NULL ENABLE,
       "EMAIL" VARCHAR2(200) NOT NULL ENABLE,
       "NAME" VARCHAR2(100) NOT NULL ENABLE,
       "DOB" DATE NOT NULL ENABLE,
       "ADD1" VARCHAR2(300),
       "ADD2" VARCHAR2(300),
       "ADD3" VARCHAR2(300),
       "GENDER" VARCHAR2(1) NOT NULL ENABLE,
       "BIO" VARCHAR2(1000),
       "PHONE1" VARCHAR2(30),
       "PHONE2" VARCHAR2(30),
       "SECURITYQUESTION" VARCHAR2(100),
       "SECURITYANSWER" VARCHAR2(100),
       "USERTYPE" VARCHAR2(3) NOT NULL ENABLE,
       "ACTIVE" VARCHAR2(1) NOT NULL ENABLE,
       "PHOTO" BLOB,
       CONSTRAINT "USERS_PK" PRIMARY KEY ("USERID") ENABLE,
       CONSTRAINT "USERS_UK1" UNIQUE ("USERNAME", "EMAIL") ENABLE
  CREATE OR REPLACE TRIGGER "BI_USERS"
  before insert on "USERS"
  for each row
  begin
  if :NEW."USERID" is null then
  select "USERS_SEQ".nextval into :NEW."USERID" from dual;
  end if;
  end;
  ALTER TRIGGER "BI_USERS" ENABLE
  As you can see, there is one column of particular interest here, and that is the ACTIVE column. It simply contains a single character that can be any of the following: 'Y' for active user, 'B' for banned user and 'N' for inactive account. When a student registers, the ACTIVE column defaults to N, and they may not do any user actions until their account is activated. When they click on this link that supposedly activates their account, their status is changed to Y. When an administrator bans them, of course their status changes to B, and they may no longer access the site.
  The process should flow like this:
  1. User registers an account
  2. The application confirms registration and emails them an activation link
  3. The user views that email and clicks on the link; their account is activated.
  What I'm having trouble with is not particularly emailing someone as I've found a tutorial to do that, but instead I would like to know how to generate a link that changes the value in that column when clicked from an external location (like someone's email inbox). The greatest catch is this: My application is not hosted online, it is on my local machine. So the location of apex is at the localhost:8081/link. I'm not sure how to perform either action.
  Any help at all is greatly appreciated - I lost many hours researching on this issue already.
  Thanks!
  -J

  Hi,
  Sorry, I did not understand this " how do I cloak that URL so the user will not know what data is being sent to the application? Such as an encrypted URL perhaps?"
  User knows nothing in my opinion, he does not see anything till he gets email
  even if he knows your custom_hash function, if he is not regisetred, he gets nothing
  It does not matter where it is hosted.
  You need only to setup email smtp server in your workspace.
  So, if your provider allows such things, put smtp host in internal workspace, and that is
  I use the following process to send email when user press Submit on Submit process:
  declare
  l_subject VARCHAR2(32000);
  l_body    VARCHAR2(32000);
  l_link    VARCHAR2(32000);
  n number;
  BEGIN
  l_link := :HTTP_ADDRESS
  ||OWA_UTIL.GET_CGI_ENV(
     param_name       => 'SCRIPT_NAME')||
  '/f?p=AUTO:CONFIRM:0::NO:RP:CONF_ID,USERNAME:'||custom_hash(:P18_USERNAME,:P18_USERNAME)
  ||','||:P18_USERNAME;
  IF :P18_PERSONAL_FL = 'N' THEN
     :P18_FIRST_NAME := :P18_COMPANY_NAME;
     :P18_LAST_NAME := null;
  END IF;
  IF :P18_EMAIL_LANG = 1 THEN
     l_subject:= htmldb_lang.message('REGISTRATION_SUBJECT_FI',
                           :HTTP_ADDRESS
     l_body :=   htmldb_lang.message('REGISTRATION_BODY_FI',
                      :P18_FIRST_NAME,:P18_LAST_NAME,:HTTP_ADDRESS,
                    to_char(sysdate,'DD.MM.YYYY - HH24:MI:SS'),
                    :P18_USERNAME,:P18_PASSWORD,l_link,:HTTP_ADDRESS);
  ELSE
     l_subject:= htmldb_lang.message('REGISTRATION_SUBJECT_EN',:HTTP_ADDRESS);
     l_body :=   htmldb_lang.message('REGISTRATION_BODY_EN',
                      :P18_FIRST_NAME,:P18_LAST_NAME,:HTTP_ADDRESS,
                    to_char(sysdate,'DD.MM.YYYY - HH24:MI:SS'),
                    :P18_USERNAME,:P18_PASSWORD,l_link,:HTTP_ADDRESS);
  END IF;
  SEND_MAIL(
      p_to => trim(:P18_EMAIL),
      p_from => :CSE_EMAIL_ADDRESS,
      p_body => l_body,
      p_subj => l_subject
  n := HTMLDB_PLSQL_JOB.submit_process
  p_sql => '
  begin
  HTMLDB_MAIL.PUSH_QUEUE(''localhost'', 25);
  end;',
  p_when => sysdate,
  p_status => 'SUBMITTED'
  commit;
  END;SEND_MAIL is basically Apex mail proc but more flexible
  Sorry for hardcoded values, this is just sample and fore demo purposes only, I did not (and do not) put much effort in it
  custom_hash is standard Apex well known function
  create or replace function custom_hash (p_username in varchar2, p_password in varchar2)
  return varchar2
  is
    l_password varchar2(4000);
    l_salt varchar2(4000) := 'EVQELZY27PVLWPHMRN8B0CRRMAXBR8';
  begin
  l_password := utl_raw.cast_to_raw(dbms_obfuscation_toolkit.md5
    (input_string => p_password || substr(l_salt,10,13) || p_username ||
      substr(l_salt, 4,10)));
  return l_password;
  end;When email arrives, user clicks a link that i generated above, then he is redirected to page alias CONFIRM
  As you can see items CONF_ID,USERNAME are populated, one with hash value another with username.
  In CONFIRM page there is process that calculates the hash again out of username and compares to CONF_ID.
  If it agrees, then fine, if not, then sorry.
  There are other usual things: no double confirmation, no random navigation of someone to that page and etc
  Hope this helps
  Oleg
  Edited by: oleg.lihvoinen on Feb 9, 2010 1:55 PM

• Controlling of organizational units in approp request with position id data

  Dear Experts,
  I am using Investment Management for PS.
  I have created Investment management program and position ids, in Position ID master data, I ahve mentioned the Co area, Company Code, Plant and Business Area.
  Then creating an Appropriation request using IMA11 code, in control data tab, I mention the Investment program with position ID and Organizational data tab, I am mentioning the requesting cost center and Plant, system automatically populates the other fields in that tab.
  Here I want to have a check of the plant and business area of the appropriation request with that of the Investment Program position ID.
  Say the plant in position id is 1000, and plant in appropriation request is  1100, system allows to save the appropriation request.
  I want to stop it. Also, can system check the budget of the position id while saving the appropriation request, currently system doesnt check the budget also, while saving the approp request.
  I have searched for user exits and BADIs, but could not find out the appropriate one.
  Can some one help me out in solving this issue.
  Regards
  Praveen

  Hi Ahmed,
  Thanks for your reply.
  Have you ever worked with this BADI??
  I have gone through the documentation of the BADI and it seems to be okay.
  I need to check with my ABAPer as well.
  I'll get back on this once I implement the same.
  Regards,
  Praveen

• User move with CSutil

  How can I move a user account from one group to another using CSutil utility?
  Does syntax like that will do that:
  UPDATE:user1:CSDB:user1_password:PROFILE:2
  Does it changes only a group and will do no changes in user account (used time; time quota; etc.)?
  Juris

  One caveat with csutil is that the password will be reset - you can not change the group without affecting the password. If you know the passwords of each account to be moved, you won't have a problem. But on existing accounts where users havce changed their original password, you will have a problem.
  I would suggest you look into using the CSDBSync capability which is similar to CSUtil, but has many more capabilities and is just as easy to use, once it has been set up.
  Set up processes are in the user guide and work very well.

• Oracle Apps User Authentication with Active Directory

  Greetings,
  I am running Oracle Apps 12.1.1 using native login authentication. What I would like to do is set it up so that it uses our Active Directory to authenticate users. Does anyone know if there is an easy way to configure this or do I need to use OIM to accomplish it?
  Thanks

  Have a look here
  http://www.oracle.com/products/middleware/identity-management/docs/db-users-roles-management-whitepaper.pdf

• Is there any BAPI returning the affected organisational units to users?

  Dear all,
  I would like to ask a question about organizational units. Whenever I want to affect a user to a given unit I
  use PPOME transaction. If I want to do this in ABAP level I use the function module RH_RELATION_WRITE.
  I would like to know, is there any BAPI returning the affected organizational unit to a given user?
  Thanks in advance,
  Kind Regards,
  Dariyoosh

  Alberto Sesma wrote:
  You can use Function Module RH_STRUC_GET
  >
  >
  > CALL FUNCTION 'RH_STRUC_GET'
  >   EXPORTING
  >      ACT_OTYPE = 'US'
  >      ACT_OBJID = user_name
  >      ACT_WEGID = 'US_CP_O'
  >   TABLES
  >        RESULT_TAB = LT_RESULT_TAB.
  >
  >
  > You will get the related org units in LT_RESULT_TAB. There are other two table parameters in that function module that you may find useful.
  >
  > If the function does not return any valid data you may try with other values for WEGID. You will find all the possible evaluation paths in transaction OOAW.
  >
  > Kind regards
  Dear Alberto,
  Thank you very much for your answer. I didn't know this FM and it solved my problem.
  For those who may be intered here is exactly I proceed. Suppose that in the table HRP1000 you have an
  structure (type S) with ObjID = 50000342 and you wish to have the SapUserID of the affected persons.
  DATA:
        affected_users TYPE STANDARD TABLE OF swhactor,
        user LIKE LINE OF affected_users.
  START-OF-SELECTION.
    CALL FUNCTION 'RH_STRUC_GET'
      EXPORTING
        act_otype              = 'S'
        act_objid              = '50000342'
        act_wegid              = 'A008'
        act_plvar              = '01'
        act_begda              = sy-datum
        act_endda              = sy-datum
        act_tdepth             = 0
     TABLES
       result_tab             = affected_users
  EXCEPTIONS
     NO_PLVAR_FOUND         = 1
     NO_ENTRY_FOUND         = 2
     OTHERS                 = 3
    IF sy-subrc <> 0.
      MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
              WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
    ENDIF.
    LOOP AT affected_users INTO user.
      WRITE: / user-objid.
    ENDLOOP.
  Also in transaction OOAW we can have all possible values for the third argument of the module function (act_wegid).
  For those who are interested, here are a few among many possible values which seem to be intesting for my
  problem.
  DFPS_DG1----
  Organizational Unit of User
  DFPS_DG3----
  All Org. Units Above a User
  ORGAS----
  Closest Organizational Unit and structure
  ORGASS----
  Closest Organizational Unit and structure     
  PPLEORG     -
  Organizational unit of an employee or position
  SAP_ORGP----
  Organizational assignments of a user/person
  SAP_USOG----
  Organizational Assignments of a User
  SAP_US_S----
  Positions and Personnel Number of a User
  US_S_S_C----
  All positions and jobs of a user
  WFM_ORGU----
  Organizational Assignment of User
  WF_ORGUN----
  Organizational unit of a user/person (module id Ben./Pers.)
  For example, let's say we have a userid named MYUSER01 and we would like to find all structures to which the user
  is affected. Here is how I proceed.
  DATA:
        itab_user_structures TYPE STANDARD TABLE OF swhactor,
        row_user_structures LIKE LINE OF itab_user_structures.
  START-OF-SELECTION.
  CALL FUNCTION 'RH_STRUC_GET'
      EXPORTING
        act_otype              = 'US'
        act_objid              = 'MYUSER01'
        act_wegid              = 'US_S_S_C'
        act_plvar              = '01'
        act_begda              = sy-datum
        act_endda              = sy-datum
        act_tdepth             = 0
     TABLES
       result_tab             = itab_user_structures
  EXCEPTIONS
     NO_PLVAR_FOUND         = 1
     NO_ENTRY_FOUND         = 2
     OTHERS                 = 3
    IF sy-subrc <> 0.
      MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
              WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
    ENDIF.
    LOOP AT itab_user_structures INTO row_user_structures.
      WRITE: / row_user_structures-objid.
    ENDLOOP.
  Thank you very much for your help.
  Kind Regards,
  Dariyoosh

• How to link Organization Units and Entities in Oracle Designer 9i 9.0.2.8 ?

  Hi,
  I am working with Oracle Designer in a project where we need to asses the Business Process Model of the customer, mapping it in Oracle Designer.
  The Customer wants to see the relationship between Business Entity and Organization Units and Processes.
  We are following this approach:
  - define Entity
  - define Organization Unit
  - draw process models with Oracle Designer Process Modeler, defining the single process steps and indicating the Organization Unit who performs that activity;
  - draw a Data Flow Diagram for each Entity with Oracle Designer Data Flow Diagrammer, including the business function we have defined as process steps within the Process Modeler.
  Process Modeler allows us to link process steps to Organization Units, while Data Flow Diagrammer links Entity to business functions ( which are equal to our process steps). So we expect that for the "transitive properties" Organization Units should be linked automatically to Entity.
  At the end, using Oracle Designer Matrix Diagrammer we only see the relationship between Business Functions and Entity and not the one between Organization Unit and Entity .
  In fact, if we open Object Repository Navigator and check the property "Business Unit Entity Usage" of the Business Unit, there is no evidence of the entity related to the business function performed by the Organization/Business Unit.
  Could someone helps us to understand how to use correctly the Oracle Designer Tools ?
  We look forward to hearing from you.
  Regards
  Flavia Ercoli & Rodrigo Silveira

  I would recommend the 10g version anyday over the previous versions. If you use any of the other supporting apps (forms, reports, portal....) your already at a much better release :)
  Is there a reason you would want to use the prior version?

• Organizational unit 00000000 does not exist; check entries

  Hi Experts,
  While creating the business partner in transaction BBPMAININT the error is
  Organizational unit 00000000 does not exist; check entries
  where do i have to make entry of the organisation unit
  , already i have entered the purchase organisation.
  Thanks

  Hello,
  Can anyone Explain me How can i Create Vendor  EBP using T Code ppoma_bbp.
  I am using Tcode bbpgetvd for for Replicating Vendor Master to mySRM System and it is Having field of
  Organuzational Object for Suppliers 
  Object ID ______
  I have given Object id which is in assigned is ppoma_bbp (Organizational Structure).
  I have Tried to assign Object ID of Organizational unit which is assign with Purchasing Org. and Purchasing Grp.
  Please Help Me anybody.
  Thanks in Advance.

• Link BP to Organizational Unit.

  Hi CRM Gurus:
  I have a problem, I need to link a BP with Organizational Unit. The situation is that the BP is already exist but this BP was not created as Organization Unit in the PPM_CRM transaction. So we need to create an organization unit and then assigned this to the BP.
  Does anybody have an idea how to resolve this problem...
  Thx.

  You're correct... The situation is that we have already the BP's, but now we need these bps will be organizational units. We tried to extend these bps as organizational units and then assign them in the organizational structure. But we could not extend, so we tried to make organizational unit and then link with bps.
  If it is not possible we should use an Z table where we can link the BP with another BP(which should have been created in the PPOMA_CRM). So we will have got 2 BP's... It's something we don't like and also it will be so difficult to maintained.
  We tried to use de BP transaction for extending the BP, but role BUP004 is not available. Only when you create the org. unit from de PPOMA_CRM.
  I hope to give you more info. about the situation..
  Thanks a lot.

• How to get users from Organizational Unit and with worker's subgroup

  Hi
  I am looking for a f. module to get the list of users from specific Organizational Unit and with specific worker's subgroup.
  I found f. module SWI_GET_USERS_OF_ORG_UNIT but it seems not working and only returns the users, how can I narrow the selection to get only from specific worker's subgroup?
  Thank you

  Hi,
  Try with FM RH_STRUC_GET with following parameters:
  ACT_OTYPE = O
  ACT_OBJID = worker's subgroup
  ACT_WEGID = SBESX
  Most important is to specify OBJID as the workers's subgroup, values for the others parameters may vary.
  Cheers.

• Create a portal user with a specific Organizational Unit in the OID??

  I would like to split my portal users by Organizational Units in the OID.
  e.g.:
  ou=country1, cn=user1
  ou=country1, cn=user2
  ou=country2, cn=user3
  is it possible?
  is it possible trough the administer tab of Portal?
  Any experience ?
  feedback??
  Thanks
  Didier

  I think it is feasible.
  But not through Administer tab.
  Use your own api to add users (DBMS_LDAP.add_s + WWSEC_API.add_portal_user)
  cn=user1, ou=country1, cn=user_search_base
  cn=user2, ou=country2, cn=user_search_base
  or maybe try to change dynamically user_create_base, I don't know if it is possible or not

• What is involved in going from local user accounts to active directory accounts with CCM 9.1.2?

  We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure.
  We do utilize the same structure for user ID's.
  I am looking to find out what the changeover will entail and if anything else needs to be done prior to the integration.
  We also have Unity syncing up with CUCM for users as well as Contact Center sync'ed up for our ACD system.
  Thanks
  Mike

  Hey Mike,
  The process is pretty straight forward.  CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account.  The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.  
  I recommend the following if you'd like to move to AD.
  Run a DRS backup of CUCM.  This is not necessary for the integration but is good practice in my opinion.  I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
  Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD.  Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.  
  Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts.  That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc.  If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username. 
  Create an account in AD that has read-only rights to your directory.  Set the password to never expire.  You will use this account later for the integration.  
  In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
  Also in CUCM, navigate to the administration page and do the following:
  Go to System > LDAP > LDAP System and Check the box to enable Synchronizing.  Confirm the LDAP server type and attribute for User ID is accurate.  This is typically Microsoft Active Directory and sAMAccountName respectively.
  Go to System > LDAP > LDAP Directory
  Click Add New
  Give it a name (whatever you want).
  Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
  Enter the password for the account.
  Enter the search base.  This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain.  If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
  Select the option to perform a sync with AD on periodic intervals.  The lowest interval you can set is every 6 hours.
  Select either the telephonenumber or ipPhone field to be used for the user's extensions.  This will be whatever you decided and populated in AD in an earlier step.
  Add your primary and any backup domain controllers and ports.  If they are just domain controllers and you are not using SSL then specify port 389.  If they are also global catalog servers then you can do port 3268.
  Click Save and Click the "Perform Full Sync Now" button.
  I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD.  To add this do the following:Go to System > LDAP > LDAP Authentication.
  Click Add New
  Check the box to use LDAP Authentication
  Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section.  Also add the same primary and secondary LDAP servers and ports you used earlier.  
  Click Save
  You can go a step further and create a filter to only pull in the users within the search base you specified and apply that.  For example, maybe only pull in users that have their ipPhone field populated.  Let me know if you have any questions on that or any of the above.
  I hope this helps!

• Organization Units Authorization on user level

  Hello experts,
  Is there a way to add authorization for an organization unit (i.e. Company Code) on a user (SU01) level and not on a authorization objects (PFCG) level?
  For example,
  I would like to create the following Role (profile):
  ZFI_AP_REPORT_DISPLAY
  This role should be able to display AP report from the Financial module.
  However our problem is, we would like to create authorization levels with organizational units for each user:
  For example:
  User Anson has ZFI_AP_REPORT_DISPLAY assigned but can only display Report from Company Code 3202.
  We know we can create this authorization creating several roles, like:
  ZFI_AP_REPORT_DISPLAY_3201
  ZFI_AP_REPORT_DISPLAY _3202
  ZFI_AP_REPORT_DISPLAY_3203
  but our idea is not create several roles, but to assign the Company Code authorization on a user level and leave just one role so we would only need ZFI_AP_REPORT_DISPLAY.
  Is there a way to do this?
  Thank you in advanced for your replies.
  Christine Tseng

  I agree with Jurjen.  There is no point creating a "new" authorisation concept for a few transactions.  If you use standard authorisation objects for the check in your custom tcodes then you will likely have very little work to do if you assign those tcodes to existing roles.
  Even using a custom auth object & creating the variants will take up no more time than doing something like repeating the variable functionality in BI or messing about with PIDs in the UMR (which I definitely do not recommend).  By sticking with the standard concept you ensure consistency, making it much easier to support and/or handover if you move on from the role.