PAB Deprovisioning.

Similar Messages

• IDM 8.1 deprovisioning of domino user thowing error

  Hi,
  I am using Sun IDM 8.1. I configured Lotus Domino as an resource. I am able to do the following successfully.
  1) Creation of a user
  2) Modification
  3) Change password
  I am facing problem in deprovisioning or deleting a user from the resouce.
  Error Message.
  Entry <username> is not registered and does not belong to an organization
  Unregistered accounts cannot belong to groups. The request to remove this user to group(s) was not performed
  I have checking the permissions of the id used in resouce. It has all the privilages for managing a user i.e create,modify and delete.
  Please help.
  Thanks in advance.

  Hi,
  According to the Resource Reference documentation the Domino adaptor does not support deletion of a user.
  According to the documentation "When deprovisioning or disabling, you must send a list of DenyGroups that the user will be
  added to. When enabling, you must send a list of DenyGroups that the user will be removed
  from."
  There are code examples.

• Automatic Deprovisioning of AD resource Accounts from CSV file attribute

  My scenario is somewhat like this,
  I have a CSV flatfile Active Sync which contains the following columns:
  accountId,firstname,lastname,department,location,region
  ausmani,Arsalan,Bhagwan,Uphone,Milpitas,US
  aahmed,Aftab,Singh,Telenor,Cairo,EMEA
  hkhan,Hello,Khan,Lahore,Dublin,EMEA
  I have created a role and has assigned AD resource to it. I have hardcoded this role in the waveset.roles field name in my creation form.
  When I start FlatFileActiveSync, these above mentioned 3 accounts are created in IDM and they are also assigned AD role, and hence they are automatically provisioned to AD as, due to the fact that I am assigning resource on role base.
  I am using Update User workflow in my poll-workflow configuration in my Flatfile synchronization policy.
  Currently I am able to automatically provision a account from CSV file towards IDM and towards AD. All this process is automatic.
  My problem is that how can I automatically disable and deprovision accounts via a CSV. What I should include in CSV that IDM will know that this account has to be disable and deprovision from resource??? Moreover, which workflow I have to use?
  Thanks,
  Farhan.

  Even I am struck at the same place. Please let me know if you find out.
  Thanks you in advance
  Prabhu

• User status doesn't changes in WebAdmin console even after deprovisioning..

  When a user’s organization is changed from one to another, he is automatically deprovisioned at once from the target resource (if already provisioned).
  But when you check the status of that user in the WebAdmin console it shows as Provisioned to that resource. Even manually disabling and revoking the access doesn’t works. Nor the user can be provisioned to that target resource again as in when you go to resource profile of that user, there is no resource (that specific target resource to which he was provisioned earlier) present.

  Can anybody give a solution to the above problem???
  Thanks in Advance ..
  Abhishek

• Adding users to PAB group with same last name as existing

  Cannot add user to PAB group when user has same last name as an existing Group member.
  Seems to work, see number tick up and green bar flash, but, never really adds.

  Joea,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Delete PAB

  Hello,
  To delete a user's PAB, it can be done using the Admin Console.
  To delete 50,000 users PAB, i think it is inefficient to use Admin Console. Is there any available command line to do it?
  the servers we're using are:
  NDS 4.12
  IMS 5.0 P2
  Thanks!

  If you script it you certainly can delete the pab from 50000 user entries
  rather quickly.
  Write a perl script or a shell script which loops through all
  of the userids and removes the paburi attribute. That is the reason
  I gave you the sample ldif file that would be input for the
  ldapmodify command.
  The logic for this script would be:
  for each uid in the list of uids
  loop
    print the dn to file x.ldif
    print the changetype and change commands to file x.ldif
    print blank line to file x.ldif
  end
  once that is done call ldapmodify and feed it the x.ldif
  file which would now have entries which look like:
  dn: uid=foo,ou=People,o=your.domain.com,o=somesuffix
  changetype: delete
  delete: paburi
  dn: uid=bar,ou=People,o=your.domain.com,o=somesuffix
  changetype: delete
  delete: paburi
  HINT: It does not matter how you generate the x.ldif file (use whatever tools you are comfortable with to get to that point then run the ldapmodify command).
  As to your second question, the pab database is stored under the o=pab tree. You have to remove that tree from the ldap directory, but you need to delete the paburi attributes first.

• How to migrate address book in outlook express to PAB?

  How to migrate address book in outlook express to SUN messages server 's PAB?
  Use any LDAP command ?
  Thanks!

  We provice no supported technique for this.

• Complete Newbie - PAB Uniqueness

  Hmmm, sorry to post what must seem a very simple question to you guys, but we have Directory Server running with Messaging Server (with little training)! Our problems seems to have arisen when converting Outlook address books to CSV files, then squirting those CSV files into the PAB using a PHP script! Now we seems to have broken the functionality of the address book side of things as we can no longer edit or add adresses via the messenger express front end - I suspect uniqueness problems - where on earth do I start looking? I know that I have some repeated values in an LDIF dump against UN: and DN:, I also know that my uiqueness plug-in is not switched on....
  Thanks in anticipation....

  About training ~
  To anyone who might be interested in instructor led training
  for Captivate (or any Adobe product), you can find the nearest
  Adobe Certified training in Adobe's "Partner Finder"
  located
  at this link
  . Rick's comment back in December might lead some to believe
  that he is
  the contact for training, and of course that couldn't be
  further from the truth ... Adobe's "finder" can help find training
  in any country in the world, or any state in the nation (if you are
  in the U.S.). And of course, there are dozens of (us) certified
  trainers, most of them quite possibly more convenient to you than
  Rick.
  To clarify - Rick might be a good enough instructor (I
  wouldn't know, but I assume he is a very passable teacher) but my
  point is that he is just one of many qualified Captivate
  instructors. The above mention of Kevin Siegel brings to mind that
  Kevin also puts on a good (training) show - in addition to writing
  an excellent Captivate user's manual. Kevin presents on-line
  (virtual) training seminars for those who might benefit from
  learning in a "live" environment while at their own home or office.
  Check that possibility out at
  this link to Kevin's
  registration page
  .

• PAB to Address Book server dynamic migration

  I'm using JES3, 2005Q1.
  I was able to apply the batch migration from PAB to Address book server as described in the Communications Express 6 2005Q1 Administration Guide. In the same chapter (Chapter 7), the dynamic migration is described. This migration happens only when the user logs in.
  In the documentation it is stated that there is an attribute called "mepabmigration". This attribute is essential for dynamic migration. But I couldn't figure out how to get this attribute, as it is not predefined nor there is a description on it anywhere.
  Any idea about this? especially the mepabmigration attribute.
  Regards,

  "attribute" implies LDAP.
  http://docs.sun.com/app/docs/doc/819-2661/6n4uetjt7?q=mepabmigration&a=view
  This attribute is added automatically.... Nothing for you to do, here.

• Problem with revoking accounts on deprovisioned Date

  Hello,
  I am setting the De-provisioning date for a user manually from UI to the current date(tried with yesterday's date too). After I submit, I ran the "Set User Deprovisioned Date" Job. It has updated the user deprovisioned date field, but the user's accounts are still in "Provisioned" status.
  Is there any other job that needs to be executed after this to revoke the accounts? or "Set User Deprovisioned Date" Job will revokes the account also along with setting the deprovisioned date.(which somehow is no happening in my case.)
  Thanks
  sjit

  You haven't mentioned the version but for 11.1.1.5 you can get it here:
  http://docs.oracle.com/cd/E21764_01/doc.1111/e14308/scheduler.htm#BABECJFD
  Also the jar would be OIMServer.jar or xlScheduler.jar
  -Bikash

• Where it PAB gets stored? How to access it?

  Hi All
  Through web accesss of sunone mail I can able to create the contacts and groups. But my question is where they get stored and how to access it. They can be accessed through ldap or not? If so what is the uri? Can we see the contacts in netscape console or not? If yes where? Could you post all sorts of information about PAB?

  There are several things that can cause problems. Please start with exact version of iMS you're running. Send the output from running
  imsimta version
  Did your PAB ever work? Has it changed in some way, such as changing the name of the server? Was this an upgrade from an earlier version? Did you attempt to load data manually? Have you customized your webmail interface?

• Deprovision View

  Hi I have form calling a sub process that checks out the user for deprovision and then attempts to gather all the resource accounts for a particular resource.
  For some reason when I make the call to get the resource accounts it is returning null. I have used this in other workflows. Any thoughts?
  Here is code.
  Check out User:
  <Activity id='3' name='Checkout deprovision View'>
  <!--<Variable name='view'/> may not be needed as the view is from the actuive -->
  <Action id='0' name='Checkout deprovision View' application='com.waveset.session.WorkflowServices'>
  <block name='incheckout view' trace='true'>
  <ref>accountId</ref>
  <ref>user</ref>
  <Argument name='op' value='checkoutView'/>
  <Argument name='type' value='Deprovision'/>
  <Argument name='id' value='$(accountId)'/>
  <Argument name='name' value='$(accountId)'/>
  <Return from='view' to='deprovisionView'/>
  </block>
  </Action>
  <Transition to='Set deprovision options PA'>
  <isnull>
  <ref>WF_ACTION_ERROR</ref>
  </isnull>
  </Transition>
  <Transition to='end'/>
  <WorkflowEditor x='205' y='-74'/>
  </Activity>
  Gather the resource accounts:
  <Activity id='4' name='Set deprovision options PA'>
  <Action id='0' name='Get the PA reosurce'>
  <expression>
  <block name='Set Deprovision options PA' trace='true'>
  <set name='resourceAccountPA'>
  <rule name='TPC_GetResourceAccountsOfAResource_Rule'>
  <argument name='resourceAccountsList'>
  <rule name='TRV_Rul_getHashMapKeysUtil'>
  <argument name='hashMapObject' value='$(deprovisionView.escapedNamesMap)'/>
  </rule>
  </argument>
  <argument name='resourceName' value='PA'/>
  </rule>
  </set>
  <set name='totalAccountPA'>
  <length><ref>resourceAccountPA</ref></length>
  </set>
  <set name='ctr'>
  <i>0</i>
  </set>
  </block>
  </expression>
  </Action>
  The above returns nothing.
  Here is my rule 'TRV_Rul_getHashMapKeysUtil':
  <?xml version='1.0' encoding='UTF-8'?>
  <!DOCTYPE Rule PUBLIC 'waveset.dtd' 'waveset.dtd'>
  <Rule id='#ID#Rule:TRV_Rul_getHashMapKeysUtil' name='TRV_Rul_getHashMapKeysUtil' primaryObjectClass='Rule'>
  <RuleArgument name='hashMapObject'/>
  <cond>
  <notnull>
  <ref>hashMapObject</ref>
  </notnull>
  <block>
  <defvar name='keysSet'>
  <invoke name='keySet'>
  <ref>hashMapObject</ref>
  </invoke>
  </defvar>
  <defvar name='keysList'>
  <new class='java.util.ArrayList'>
  <ref>keysSet</ref>
  </new>
  </defvar>
  <ref>keysList</ref>
  </block>
  <block>
  <list>
  <null/>
  </list>
  </block>
  </cond>
  <MemberObjectGroups>
  <ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
  </MemberObjectGroups>
  <Properties>
  <Property name='editorOriginalName' value='TRV_Rul_getHashMapKeysUtil'/>
  </Properties>
  </Rule>
  seems like this is not returning anything to the rule: <argument name='hashMapObject' value='$(deprovisionView.escapedNamesMap)'/>
  Thanks!

  Hi,
  Please change the checkout code to;
  <Action id='-1' name='Checkout deprovision View' application='com.waveset.session.WorkflowServices'>
  <Argument name='op' value='checkoutView'/>
  <Argument name='type' value='Deprovision'/>
  <Argument name='id' value='$(accountId)'/>
  <Argument name='name' value='$(accountId)'/>
  <Return from='view' to='deprovisionView'/>
  </Action>
  Regards
  Arjun

• Procedure to fully backup a users email & manually deprovision a OCS user

  Procedure to BACKP/RESTORE email account (Note you need to create a dir on filesystem to store the backup)
  Backup a users email account
  Source the midtier env e.g. ORACLE_HOME , ORACLE_SID , PATH
  oesbkp task=backup type=all user=<email_address> admindn=cn=orcladmin password=<password>
  ldaphost=<hostname> ldapport=3090 backupdir= < path to backup dir >
  Restore a users email account
  Source the midtier env e.g. ORACLE_HOME , ORACLE_SID , PATH
  oesbkp task=restore type=all user=<email_address> admindn=cn=orcladmin password=<password>
  ldaphost=<hostname> ldapport=3090 backupdir= < path to backup dir >
  Procedure to Manually Deprovision A user in OCS
  In this example we will delete the user:
  email [email protected]
  userid 100009
  Step 1 : Delete the user in the GAL
  Source the 10g cal env e.g. ORACLE_HOME , ORACLE_SID , PATH
  Check for user in GAL
  uniuser -ls -n 1 | grep <user_name>
  Delete the user from the GAL
  uniuser -del "S=<last_name>/G=<first_name>*" -n 1
  e.g.
  uniuser -ls -n 1 | grep bruce.wayneEnter a password:
  + [email protected]/UID=100009/AUTOREFRESH=1/
  uniuser -del "S=wayne/G=bruce*" -n 1Enter a password:
  Delete "S=wayne/G=bruce/UID=100009/ID=5566/NODE-ID=1" and its agenda [y/n]: y
  uniuser: "S=wayne/G=bruce/UID=100009/ID=5566/NODE-ID=1" has been deleted
  Step 2: Delete the user in the OID e.g. ORACLE_HOME , ORACLE_SID , PATH
  Source the midtier env
  Check for user in OID (Note ensure you have the correct port in this example we user 3060)
  ldapsearch -h <hostname> -p 3060 -D "cn=orcladmin" -w <password> -s sub \
  -b "cn=Users,dc=...................." -v "cn=<userid>"
  Delete the user in OID
  Create a file called "user.ldif" of the format
  echo "cn=<userid>, cn=Users, dc=....................">user.ldif
  Execute the ldapdelete utility
  ldapdelete -h <hostname> -p 3060 -D "cn=orcladmin" -w <password> -v -f user.ldif
  deleting entry cn=<userid>, cn=Users, dc=............................................
  delete completed
  Step 3: Delete user from the mail store
  Source the midtier env e.g. ORACLE_HOME , ORACLE_SID , PATH
  Check for user in that database
  echo "select username from es_user where USERNAME like '%<username>%';" > user.sql
  sqlplus "es_mail/password"@<user.sql
  Create "mailstore_user.txt" of the format
  echo "mail=<email_address>">mailstore_user.txt
  Clean the mail store
  oesucr mailstore_user.txt -d -v
  oesucr mailstore_user.txt -clean_user_mailstore_data

  Hi Guys,
  Interesting question. I've me wondering how I can do something similar. But not so much for the email(coz we are not using Oracle Mail), but for the security setup of a user in OCS. eg. a user is granted access to many folders or objects, we want an easy way to deprovision everything. (if backing up is possible before the deprovisioning, even better - just in case a wrong delete was performed, it is recoverable).
  The other thing I'm interested is whether a branch in OCS can be backed-up and recovered easily (together with all it's meta-data and attributes) ?
  Regards
  Steve

• Email Notification while deprovision - OIM

  Hi,
  Is there any Out-of-box feature available in OIM for sending email to user's manager 7 days before user's deprovision date?.Thanks.

  You need to create your own scheduled task in Java.
  Extend this class: com.thortech.xl.scheduler.tasks.SchedulerBaseTask
  You need to override the execute() method which is the method that is run automatically when you trigger the task.
  To check if there are any users that will be deprovisioned within the next 7 days you need to call e.g findUsers in the Thor.API.Operations.tcUserOperationsIntf to get users with a deprovisioned date that is equal or less than the system time + 7 days.
  Then you can send an email for each of these users.
  Build a jar file with your code and place it under <OIM_HOME>/xellerate/JavaTasks and <OIM_HOME>/xellerate/ScheduleTask.
  You will need to configure the scheduled task through the Design Client's Xellerate Administration -> Task Scheduler. Point to your schedule task class in the class field including the full package name.

• Add a deprovisioning during an ongoing one

  Hi, all!
  Here's my problem. I have to deprovision one account when some other account is being deprovisioned. Using groups and roles is not an option. I am trying my luck in "Delete User" workflow. When it's called it is given the variable options which contains all the data about the accounts that need to go. I attempting to insert the values for the account that didn't come with the options variable. I have managed to create a ResourceInfo object and seem to be able to add it to options.targets, options.unlinkTargets and options.unassignTargets (trace='true' says so) but when I dump the options object using toXml nothing has changed and consequently the extra account is not deprovisioned. How should I go about this? Any clues? We are using Sun IdM 7.1.1.12.
  Here are some code snippets:
  Creating the ResourceInfo object:
  <setvar name='RIobject'>
  <new class='com.waveset.object.ResourceInfo'>
  <concat>
  <ref>resourceName</ref> --> theOtherResource
  <s>|</s> --> |
  <ref>accountId</ref> --> abc
  </concat>
  </new> abc@theOtherResource(accountGUID=null exists=false)
  </setvar>
  ... appending and having the trace confirm it
  <append>
  <ref>options.targets</ref> --> [cn=abc,ou=MS Users,ou=User Accounts,dc=foo,dc=bar,dc=net@Windows(accountGUID=null exists=false)]
  <ref>RIobject</ref> --> etc.
  </append> --> [cn=abc,ou=MS Users,ou=User Accounts,dc=foo,dc=bar,dc=net@Windows(accountGUID=null exists=false), abc@theOtherResource(accountGUID=null exists=false)]
  ... but on the next line the toXml says it's not there:
  <invoke name='toXml'>
  <ref>options</ref> --> com.waveset.object.GenericObject@520c37
  </invoke> --> <?xml version='1.0' encoding='UTF-8'?>
  <Attribute name='targets'>
  <List>
  <ResourceInfo accountId='cn=abc,ou=MS Users,ou=User Accounts,dc=foo,dc=bar,dc=net' tempId='633ffabc068bfbb9:cb741e:12c78a22380:-3d6'>
  <ObjectRef type='Resource' name='Windows'/>
  </ResourceInfo>
  </List>
  </Attribute>
  Tanks in advance.

  I found the problem: it's just me being tired. I used the wrong form of append. It should be the one that does not create a copy of the list ie. <append name='options.targets'>. This way it all works out.
  Good bye and thanks for all the fish.