Password Synchronization from OIM to target systems

Hi All,
Is there any OOTB functionality in OIM9.1.0.1 for password synchronization.
I have a user with multiple IT resources provisioned into his account. Now whenever user changes his password in OIM, I want that to be updated on particular target system which user selects. For ex. If a user has 5 IT resources configured and whenever he changes his password that has to be updated on only 3 IT resources and not all.
As per my understanding each IT resource configured will have some process task for updating the password on target system(Password Update in case of iPlanet resource) which will be triggered if an entry for this is present in USR_TRIGGERS. If I use this kind of approach it will update on all IT resources.
How can I make this dynamic so that the changes are done only to a list of specific IT resources selected by user.
Thanks & Regards,
Mahantesh

There is no OOTB functionality for the end user to decide which resources get their password changed and when. The OOTB functionality lets you use the Lookup.USR_PROCESS_TRIGGER to define which USR table fields have triggers configured for modification. Then you can create the task associated with the field in any provisioning process definition to insert that task when the field changes.
If you want the user to be able to pick and choose which fields get propagated to which targets, it becomes custom coding.
Off hand, to be able to decide which passwords get propagated to which targets, i might suggest some way for the end user to set the targets before hand because when a user changes their password, it's only the password that is being changed. You are going to need a field somewhere that says "yes this resource will propagate the password". You have 2 locations i can think of to do this, on the USR form as a UDF, or a field no the user's resource profile. Next you need a way to fill in these values. If it's on the USR form, you could put these on the user's self modification page to be able to check and uncheck these per resource. Or you can create a self requestable resource, or organization type requestable that has the list of targets, and the user can choose which ones they want to propagate the password to. You cannot have a dynamic list of targets though of the resource form. It has to be a set defined list. You could however create a child table with a list of all available objects and have them just add them in. Once the selection is done, you will either have these checked, or the provisioning side will update the values.
Now, when the password is changed, and you have your "Change User Password" task running, your adapter will have an input that maps to the UDF field to check if it should pass the new password to the Password Field on the form to trigger the Password Updated task, or return the existing password.
Or you create a custom page that lets you do whatever you want :)
-Kevin

Similar Messages

  • How to implement approval on password reset from OIM 9.1

    I am having an requirement where i need to implement Manager Approval on user's every password reset from OIM 9.1.02.
    Please help me out with your suggestions.
    Thanks,
    Kanav

    The thread was help full rajiv but i am still having some issue in the approch to follow:
    As per the thread we cannot use the Entity Adapter because:
    If you are thinking of using Entity Adapter on User form then it is not possible because whenever you change any value on User form, that will be updated in USR table without any Approval.
    So, if we go with the below appoach:
    *Event Handler Way:*
    Create Event Handler.
    You'll get OLD and NEW Values of that field.
    Capture those values and raise request for thsi Dummy RO with your code
    And use Error Handler to show Custom Message to Administrator that "Request Has Been Initiated for User Profile Modification".
    but i am having below doubts:
    1. If we are not having the Entiry Adapter then where we will do the mapping of fields that have been taken n the adapter?
    2. And how can i get the old value of the filed?

  • Not been able to export data from  FDQM to target system

    Hi,
    Am not been able to export data from FDQM to my target system which is Hyperion Enterprise 6.4
    I have imported, Validated the mapping but as soon as i click on export after creation of the export file the system throws an error as "*Error: Arguments are of the wrong type, are out of acceptable range, or are in conflict with one* *another*". Also am pasting the error log down below
    ** Begin Enterprise Adapter Runtime Error Log Entry [2009-08-20-16:10:27] **
    ERROR:
    Code.............. 10230
    Description....... Data Load Errors.
    Enterprise API Return Code: ALREADY_LOCKED_RO-.
    Procedure......... clsHPDataManipulation.fDBLoad
    Component......... upsHE6xG4A
    Version........... 100
    Thread............ 6028
    IDENTIFICATION:
    User.............. administrator
    Computer Name..... HYPERION
    ENTERPRISE CONNECTION:
    App Name.......... GCIP_S
    Connect Status.... Connection Open
    GLOBALS:
    Zero-For-No....... True
    INI File Path..... C:\WINDOWS\HypEnt.ini
    NameCat.txt Path.. C:\Hyperion\FDM\GCIP\Outbox\Logs\NameCat.txt
    NameCat Entity....
    NameCat Category..
    NameCat Exists.... False
    Any suggestions any one, what should i do

    Hello,
    Is it possible that the entity that you are loading to in Enterprise is locked? It appears that it may be per the below error. You can only load to unlocked intersections, so I would start by checking the catagory and entity combination for being locked.
    Regards
    JF

  • Change data capture from DRM to Target system

    Hi All,
    I have a situation where client wants Hyperion DRM to be single source of truth and pass Hierarchy information from DRM to subscribing target systems. There are 3 target systems and the database is MS SQL server.
    Now in the export profile ,I am using database export where I have mapped the DRM node/properties to target table's columns. For the initial load it is a new record in the database and the data flows as it is a 1:1 mapping, however if few of the property value changes and I wan to update only the corresponding columns what will the architecture for push the change data in to target.
    Can we achieve this without have any staging tables and capture the change data ?
    Do need to use ODI ?
    Does DRM has any work around without putting extra effort hrs by building CDC tables ?
    I will really appreciate your suggestions and comments on this......

    Thanks for the quick reply. However I was trying to resolve the Change data capture in Hierarcy through as" Database Table" but it seems when we choose the DEVICE option as database in the target tab of export it can only export or insert new records into the tables but cannot update and existing record.
    PLease correct me if my understnding is wrong ?????

  • Password reset on all target systems + how to  find mskeyvalue from store?

    Hi All
    As per the below link for password reset
    http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/00d69428-cc00-2c10-9ca5-b4f607bbbddf&overridelayout=true   , I am able to reset the password of the user id in ume of  IDM  AS java server. However this document does not explain how the password reset functionality will change the password  on all connected target system. For example, When I reset the password from IDM interface, the password of  all my user ids in other target systems like ERP, Portal, Exchange, AD etc should change. But these information is not available on this document.   Please advice how we can can configure these steps.
    Also how we can  find the mskeyvalue of a user in identity store exactly? . If we need to run the sql query, can you please give the exact SQL query you need to use ?
    Thank you.

    Hi Sahad,
    just for your question about the sql statement:
    select attrname, aValue from mxiv_sentries where attrname = 'MSKEYVALUE' and aValue like '%<Search string>%' and IS_ID = <number of your IS_ID>.
    This statement should display only one User if you have changed the placeholders.
    I'm not sure, whether this helps or not. If not, please give me some more details.
    Kind regards,
    Achim Heinekamp

  • Pwd Synchronization from AD to OIM to target user database

    Windows account has been created in OIM from AD and those accounts have also been provisioned from OIM to multiple Oracle databases.
    When changing the pwd of the Windows account, I expect the pwd of the Oracle account will also be changed in the databases that the account has been provisioned to. But, it only changes the pwd of the OIM account, not the pwd in the target user databases.
    The 'Change User Pwd' task has been added in the 'Database User Login' proces. But it still doesn't work. Any idea of what goes wrong ?
    thanks

    task name must be: Change User Password

  • OIM AD reverse password sync from one AD instance to multiple OIM instances

    Hi All,
    I have a followind scenario. My client is having multiple offices across the globe. They have OIM installed and configured in each location in each country to manage there local applications. Client also has a Global LDAP which is common across all the offices worldwide.
    My requirement is then i need to setup reverse password sync from Global LDAP to all the OIM sysem across the Globe. As per the reverse password sync connector i can only define one OIM system to sync the password.
    Can you please suggest me some way to achieve this functionality? Is it possible to install more than one password sync connector and configure them with different OIM systems?
    Thanks
    Yogesh

    I have one AD instance and n OIM instances. Can i install multiple AD-OIM passwordd sync components on the same AD machine and configure each component with various OIM's?

  • AD-OIM password synchronization connector error

    Hi,
    I have installed the AD password synchronization connector 9.1.1. to Windows 2003 SP2 server successfully. When I reset the users password I can see from the 20091217OIMMain.log file the following errors:
    Debug [12/17/2009 2:08:31 PM] The SOAP start element is
    Debug [12/17/2009 2:08:31 PM] <SPMLv2Document xmlns="http://xmlns.oracle.com/OIM/provisioning">
    Debug [12/17/2009 2:08:31 PM] The SOAP end element is
    Debug [12/17/2009 2:08:31 PM] </SPMLv2Document>
    Debug [12/17/2009 2:08:31 PM] The path is
    Debug [12/17/2009 2:08:31 PM] /spmlws/HttpSoap11
    Debug [12/17/2009 2:08:31 PM] End of sgsloidi::setParameters
    Debug [12/17/2009 2:08:31 PM] <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><env:Fault xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><faultcode xmlns="">env:Server</faultcode><faultstring
    xmlns="">Internal Server Error</faultstring><faultactor xmlns=""></faultactor></env:Fault></env:Body></env:Envelope>
    Debug [12/17/2009 2:08:31 PM] Inside sgsloidiOIMGeneralErrorHandler
    Debug [12/17/2009 2:08:31 PM] Unable to update USR_NAME. There are error messages in the searchReponse. Please check log for details
    Debug [12/17/2009 2:08:32 PM] Password updation failed in child process
    Where is this searchResponce log file? I tried to see all the Windows log files, which has been updated after my password reset, but none of them has any errors which makes sense or the time would match. Also in 20091216043_PasswordChange.log everthing seems to go okay.
    SPML web service is deployed and up and I can hit that URL from my machine. I don't get any printouts to the OIM log file.
    Any ideas...? Thanks a bunch!
    -J-

    1. Check your ports, make sure they are open.
    2. For password sync you'll need to have SSL certificates configured so AD, OIM and the connector can talk securely. Make sure the proper keystore is used and certificate is present on all 3 (the connector includes the guide to install them)
    With the above I got my connector working to this point. Hope that helps.
    - JP

  • Want a solution for a scenario-To Set Password expiration in OID from OIM

    Hi,
    I have one scenario. Please guide me in some details to achieve this.
    I have one password policy in OIM. When user's password expires in OIM, then his password should also expire in OID. We have OID as user's repository.
    For this I have one solution but dont know how to implement this in OIM.
    "OID has the LDAP attribute called “pwdMaxAge” map this attribute to the OIM resource object and reset this value to number of days (as per password policy) whenever you change the password in OIM. This will set the password expiration time in the OID without having the password policy in place. "
    Plesae suggest.
    Thanks in advance.

    Well here is what you can do:
    - For OIM the user's password will be governed with the Xellerate User password policy, which says that password must be changed every 28 days. So you are good in handling this in OIM.
    Now for OID side, you have two options - *1. User changes OID password directly* and *2. User changes OID password through update in OIM profile password*. Most probably tou would want the second case. If true then here is what you can do.
    - As user changes the OIM password. Create automatic trigger Change User Password which updates the password in the process form of OID.
    - This invokes the Password Updated task.
    - On SUCCESS of this task, call another task which goes to OID target and updates the attribute pwdMaxAge to Current date + 28
    Thanks
    Sunny

  • Exporting and Importing Portal users from Source system to Target system

    Hi All,
    I have exported all portal users from source portal in to file Users.txt do i need to convert this file in to some other format so that i can import these users in Target portal.
    any links documents
    Regards,
    Murali

    Hi,
    If you look in to User.txt
    I have role also i have deleted role in User.txt uploded file with rest of the otherdata including group it it able to create users.
    so in Nut shell let's say
    1. UID-Murali
       Role- Manager
      Group- HRGroup
    user existing  in DEV and i want to trnasfer data to PRD
    Role:Manger should exist in PRD, and group is not mandatory optional
    but the link http://help.sap.com/saphelp_nw70/helpdata/EN/ae/7cdf3dffadd95ee10000000a114084/frameset.htm
    says while uploading users role is optional it throws waring but i got error.
    i am bit confused.
    Now let's sau there are 10 users, 10 roles and 2 groups in source system if i want to export all users,roles,groups to target system what sequnce i have to follow without getting any error , warining is there any restriction on number of users, roles, groups i know file size should be less than 1MB.
    Points are on the way.
    Regards,
    Murali

  • Reset password in Novell GroupWise from OIM

    Hi , I am encountering the following problem
    1. we have set up Provisioning in Novell eDirectory and Novell GroupWise
    2. the accounts are provisioned succesfully
    3. when we change the password from OIM, the change is reflected in eDirectory , but not in GroupWise.
    Also. in the User Detail >> Resource Profile >> Resource Provisioning Details for GroupWise , the Change User Password Task is 'Completed' and the following information can be seen in the log:
    INFO RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - NWDSLogin was successful
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - ~~~~~~~~~~Exiting ndsconnect:connectToNDS(0)~~~~~~~~~~
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - ~~~~~~~~~~Exiting main:jproxyConnectToNDS(0)~~~~~~~~~~
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - ----------Entering resetUserPassword()----------
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - Params rcvd: pDomainPath=( cn=ase-do.o=ase )
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - Params rcvd: pEDirTree=( ase-tree )
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - Params rcvd: bstrUserID=( TESTUSER07 )
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - Params rcvd: varPostOfficeDN=( cn=ASE-PO.o=ASE )
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - Params rcvd: varPasswordFlag=( 1 )
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - ----------Entering initGroupWise()----------
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - Params rcvd: pDomainPathToConnect=( cn=ase-do.o=ase )
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - Params rcvd: pEDirectoryTree=( ase-tree )
    INFO RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - Connected by connectByDN() method( cn=ase-do.o=ase )
    INFO RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - connected to groupwise sytem of name= ASE-MAIL
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - ~~~~~~~~~~Exiting initGroupWise(0)~~~~~~~~~~
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - IsUserNameUnique returned ( 0 )
    INFO RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - User Reset Password update success (Ret code: 1 )
    INFO RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - User Reset Password commit success (Ret code: 0 )
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - ----------Entering exitGroupWise()----------
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - ~~~~~~~~~~Exiting exitGroupWise(0)~~~~~~~~~~
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - ~~~~~~~~~~Exiting resetUserPassword(0)~~~~~~~~~~
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - ----------Entering ndsconnect:disconnectFromNDS()----------
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - ~~~~~~~~~~Exiting ndsconnect:disconnectFromNDS(-1)~~~~~~~~~~
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - ~~~~~~~~~~Exiting main:Java_tcUtilGroupWise65RemoteLib_resetUserPassword(0)~~~~~~~~~~
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - ----------Entering gwerrorcodes:getErrorString()----------
    INFO RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - returning response code=( GW_PASSWORD_RESET_SUCCESSFUL )
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - ~~~~~~~~~~Exiting gwerrorcodes:getErrorString()~~~~~~~~~~
    DEBUG RMI TCP Connection(48)-192.168.3.57 XL_INTG.GROUPWISE - =~=~=~=~=~=~=Exiting tcUtilGroupWiseOperations:gwResetUserPassword(0,GW_PASSWORD_RESET_SUCCESSFUL) =~=~=~=~=~=~=
    DEBUG RMI TCP Connection(48)-192.168.3.57 XELLERATE.REMOTEMANAGER - o : GW_PASSWORD_RESET_SUCCESSFUL
    DEBUG RMI TCP Connection(48)-192.168.3.57 XELLERATE.REMOTEMANAGER - Class/Method: RemoteManager/invokeInstanceMethod left.

    Provide the OIM links for registration and forgot password.
    If your OAM has a user store(LDAP) where OIM is provisioning, your changes will be reflected in OAM
    Hope this helps,
    Sagar

  • CHARM error - No Target system for Normal transport generated from another client

    Hi Gurus,
    This is regarding normal change. We have two clients in development. (Workbench and Customizing)
    We were trying to do Automatic import from development client to Quality. When importing the job, I’m getting an error related to Project Status switch. "you cannot import any request for the project at the moment" It works fine for another development client and we can see the target system in Project status switch.
    But, checking the Project Status switch, looks like there’s no Target System defined for Normal transport generated from another client of development.
    I attached some screenshots related to this.
    Can you please help how to add a target system for another client of development ?
    Regards,
    Salman

    yes, client 110 is present in the task list of the project. yes route is defined because it is working for urgent change

  • Email to be sent on delivery acknwledgement  from target  system

    Hi all,
    We are running on SRM 5.0 (Standalone scenario).We are sending the local PO to the vendor system thorugh XI(SRM>XI>Vendor system).
    My reqt is when the PO is sent to the vendor system,a response/message is sent to XI that the PO has been delivered to the Vendor(target) system.At this event(When the message of delivery is recieved in XI),I need to send an email to the Shopping cart requester/creator in SRM stating that "PO has been sent to the vendor".
    Can anyone please suggest how this can be done?Is there any std provision in XI for sending an email at the time of successful delivery of the doc/data to the target system?
    I am not clear as to what will be the  link between XI and SRM system?Can we write a routine in XI to read the XMLmessage  to get the  PO no and thereafter the SC details??If so,how (As we  will be having only the XML message  in XI which will contain the PO no)??
    Any inputs/help will be appreciated and rewarded!
    BR,
    SRM Tech.

    Hi Suhail,
    Thanks for  the  prompt response.
    Actually I am new to XI so dont have much idea abt  how the  messaging happens in XI.I  jst  know that whenever the doc is sent  fromXI  to the  target system,the XI  recieves  a  response  for  successful delivery to the  target  system!So I wanted  to  know  if  i have to code  in  XI  (to incorporate the  logic  for sending the mail at runtime  to  the  SC  creator  in SRM) ,how doI  dothat???Using  ABAP as the language  or any other  languages  like HTML ,javascript  etc for XI??Also  how  do I connect  fromXI  to  SRM to fetch  the reqd  data  from SRM  system??
    BR,
    SRM tech.

  • SAP Idocs -How to handle response from target system

    Hi,
    I am working on a scenario in which I will send Idocs asynchronously from SAP thro a SOAP adapter to a  webservice deployed on the target system.
    After the Idoc data is posted in the target system,the target system will send the acknowledgement for the receipt(basically response message).How to handle this scenario?
    SAP Idoc( outbound asynchronous)---> SAP XI3.0(soap adapter) ---> Target system(inbound synchronous)
    Do I need to go for BPM to handle this situation?
    Is there any alterantive to BPM.
    If any of the forum members who have worked on the similar scenario could help me in finding a better solution,I will be thankful to them.
    Thanks,
    Leo

    Hi Udo,
    Thanks for the info.My scenario is like this.
    SAP R/3 Idoc -> SAP XI 3.0 <-> Webservice in the target system.
    The webservice in the target system will receive the Idoc as a request messsage and send a response message synchronously.
    Since Idoc is sent asynchronously( I believe Idocs sent from SAP are always asynchronous),there is no Proxy waiting in SAP R/3 to receive the response message from the target system.
    If I go for BPM for the above scenario,will the BPM steps look like the following.
    1)Receive Idoc from SAP.
    2)Send Idoc sysnchronously to webservice
    3)Receive the response from the webservice synchronously.
    4.Post the response message to a proxy which can handle it further in SAP R/3.
    Please note that my knowledge in BPM is limited and correct me if I am wrong.
    Thanks in advance
    S.Banukumar

  • Tracking Idoc status in target system from XI

    Hi
    We have done File to IDOC Scenario succesfully i.e HR
    data  from file has been mapped to HR Idoc(HRMD_A06) .
    Now when Idoc is posted to R/3 , SXMB_MONI shows 
    successful status(Idoc posted successfully) .
    But when we check in R/3 in WE05 transaction ,though
    the idoc is present but it shows status 51/52
    with message "Idoc could not be posted" /"IDOC not
    fully posted" .
    In this case how can we track in XI  whether the Idoc
    is properly posted in the target system(i.e R/3) .
    Since XI only shows that Idoc was successfully sent
    irrespective of the status in R/3 .
    Please suggest as we are new to XI .
    Regards,
    Shikha

    Hi
    Thanks for the guide.
    we are  not sure of the steps to configure it in R/3
    system so that it sends the acknowledgement back to XI
    system. 
    When we tried to configure it as per the guide , for
    test purposes we executed the program RBDSTATE but it
    gave message "No parties are interested in the selected
    data" .
    Please guide us on this .
    Thanks
    Shikha
    Message was edited by: Shikha Jain

Maybe you are looking for

  • How do I install Lion on a newly erased hard drive?

    I used every trick on the internet including command R and bupkis. After 3 days I repaired the drive using my macpro as a Target and my iMac with Lion to do the repair. Nada. I have erased the drive completely and need to know how to install Lion. My

  • Cann't launch the ADF Swing Project

    Hello, I have created java-application(swing,adf bc) in Jdev10.1.3, and created the Java Web Start(JNLP) files for the application ,run ant target: sign. it created all files ,build ok. but when I run the local.html in the Jdev1013, it open IE window

  • Deploy Firefox with prebuilt bookmarks and homepage

    We're deploying Firefox during the SCCM2012 imaging process on our company's win7 and 8 64bit machines. Unfortunately, the nature of Firefox's randomized user profile names and non-use of a "Default User" makes it impossible for us to build/deploy a

  • Updater does not start download automatically

    I have a Win XP Pro PC. I go to the updater down load page and log in. The page says the download will start automatically, but it does not. Please help. Thanks in advance.

  • Album Name Display

    On my previous iPod Nano, when viewing albums, the name of the album would scroll if it was long to be able to see the full name. Now on my new iPod Touch, long album names are always displayed with an elipsis at the end. All of my album names are lo