Problem with Access policy Provisioning on AD

Similar Messages

• Problem with Access Policy

  Hi All!
  OIM 11g:
  1. I have installed DBUM 9.1.0.4
  2. I have configured IT Resurce, and RO for granting user MS SQL User and database role (for example in HRData db)
  3. I have created Role named: "HRData DB User" and Access Policy named: "HR Data DB User" wchich grants correct RO.
  4. When role is granted by xelsysadm for specific oim user everything is OK.
  Problem:
  when user request for role: "HRData DB User" from Self-Service portal, and request is approved by xelsysadm, role is granted but RO is not granted. I have following error:
  +<Nov 19, 2010 1:12:46 PM CET> <Error> <XELLERATE.SERVER> <BEA-000000> <Class/Method+
  +: tcDataObj/eventPreInsert Error :Insert permission is denied>+
  +<Nov 19, 2010 1:12:46 PM CET> <Error> <oracle.iam.accesspolicy.impl.handlers.provis+
  ioning> <IAM-4030308> <An error occurred in oracle.iam.accesspolicy.impl.handlers.p
  rovisioning.ProvisionAccountActionHandler while provisioning resource 161 to user 4
  +3 and the cause of error is DOBJ.INSERT_PERMISSION_DENIED: H: You do not have permi+
  ssion to insert this object..>
  +<Nov 19, 2010 1:12:46 PM CET> <Warning> <oracle.iam.callbacks.common> <IAM-2030081>+
  +<[CALLBACKMSG] Inside completion plugin for request 68.>+
  +<Nov 19, 2010 1:12:46 PM CET> <Warning> <oracle.iam.callbacks.common> <IAM-2030082>+
  +<[CALLBACKMSG] Inside completion plugin for request 68, target tye is Role and ope+
  ration is SELFASSIGNROLES.>
  +<Nov 19, 2010 1:12:46 PM CET> <Warning> <oracle.iam.callbacks.common> <IAM-2030082>+
  +<[CALLBACKMSG] Inside completion plugin for request 68, target tye is RoleUser and+
  operation is CREATE.>
  Any suggestions?
  best
  mp

  Hi Rajiv,
  So, there is no way we can implement this?
  My requirement is same as this,
  OIM: Question about "Auto Save" option on Resource Object
  I have a Resource Object that needs to be provisioned at least two ways:
  1) thru an access policy by group membership
  2) thru user self-request, who is not already in that group membership
  The problem is if I don't check the "Auto Save" check box the automatic assignment thru access policy is not completing and If I do check the check box then user request is not letting the user to enter values into the resource form. Instead it is directly going to submit request. Looks like these are mutually exclusive.
  Is there a way to make both work on the same Resource Object?
  Thanks
  SK

• Problem with Access Policies (create multiple resources)

  I'm having a problem with Access Policies:
  The first policy must create a resource.
  And the following policies should create childs on the resource.
  The problem here is that when policies will add the childs, the resource is not provisioned yet.
  And then each one will create a resource but i just want one resource with the childs.
  When the resource is already provisioned, the policies update this resource properly.
  How can I fix this?
  tks

  Ricardo,
  I had a similar problem. In a post-process handler I was managing the user membership in specific roles through the removeMemberUser and the addMemberUser of the tcGroupOperationsIntf class.
  The last parameter of this method was a boolean which, when true, would automatically trigger the access policies programmatically in the post-process.
  The problem is that there also is an OOTB event handler for triggering access policies, so I was basically triggering the access policies twice and duplicated resources were appearing.
  Hope this helps.
  Cheers

• Disable AD account with access policy

  Hi all,
  how can I disable AD account with access policy (or create AD account in disabled state)
  Regards,
  Vladimir

  Dewan.Rajiv wrote:
  Access Polcies are just for triggering provisioning. You can custom AD connector or write your own to create user in disabled state using JNDI.Hi Dewan,
  I have to create a simple demo system, and I need a solution which is not too weird (that means use as little of disparate technologies as possible).
  I have two connected systems:
  1. HR system, which is a trusted source for user and organizational data.
  2. AD system, which is my provision destination.
  I want to comply to the following requirements:
  1. When a user is created in HR system, a new OIM account shall be created, and a new AD account shall or shall not (depending on HR data) be created in AD in disabled state
  2. When a user is marked as dismissed in HR system, the AD account if exists, shall be disabled and moved to some special place in AD tree.
  3. Same rules shall apply if the OIM account is created or marked as "Dismissed" manually by OIM administrator.
  I use OIM reconciliation to get source data and it is no problem for me to create any reconciliation event I need.
  I was considering creating Group->Access Policy->Resource chains, but Access Policy allows only to manage AD attributes, not account enable status.
  Or should I add some unmapped pseudo-attribute to AD connector and a task which will enable/disable AD account based on the value of this attribute?
  What other options do I have?
  Regards,
  Vladimir

• Problem with access to SMTP, IMAP, POP3 protocols in CAS 2013.

  Hi,
  we have problem with access thgrough SMTP, IMAP, POP3 protocols in CAS 2013.
  If I test connection to SMTP 25 port from other computer, session end quickly.
  Test from CAS2013 to localhost or public IP is OK (similar also for IMAP and POP3).
  Receive connectors are with defaults settings, firewall is disabled.
  Service Microsoft Frontend Transport Services restarted, but no success.
  Certificate is assigned to IMAP, POP3, SMTP, IIS.
  IIS and HTTP(s), protocols are OK. Clients can connects only thgrough web, mobile (ActiveSync), or with Outlook with proxy.
  Do you have some tip, what to test?
  If I create new testing receive connector on port 26 for anonymous, behaviour is same, quick disconnecting.
  Thank's Mirek

  Hi,
  Pleaser try to use the following link to test your STMP/POP/IMAP e-mail, and check the test if successful:
  https://testconnectivity.microsoft.com/
  If unsuccessful, please check the test result, it will tell us what caused the problem.
  Thanks.
  Niko Cheng
  TechNet Community Support

• Problem with access to SipFactory from jsp-pages in JBoss environment

  Hello!
  I have an installation of the OCMS 10.1.3.3. deployed into a JBoss (jboss-4.0.5.GA) environment. Unfortunately I have a problem with accessing the SipFactory from a jps-page. Encouraged by the "messagesender" example I tried to get an instance of SipFactory from my jsp-page simply by calling:
  SipFactory sipFactory = (SipFactory) application.getAttribute(SipServlet.SIP_FACTORY);
  But unfortunately there seems to be no attribute "SipServlet.SIP_FACTORY" and I only get a null pointer. I have also tried running that code in the orignal messagesender example but it didn't work either. So I wonder if this should definetely work in a JBoss environment or if this might be a known problem. Is there anything that I could check/do regarding this problem? I suppose there must be an oracle module which should take care of making the SipFactory availabe after it is deployed. Perhaps something went wrong during the deployment?!
  Best regards,
  Tim

  Hi
  On JBoss, OCMS does not support converge applications.
  I.e the SipFactory can be retrieved from the servlet context when running on OC4J.
  Instead the SipFactory can be found in JNDI as described in the Developer's Guide:
  "External Access to SIP Servlets
  To enable convergent applications between SIP and HTTP, the OCMS Container allows you to get access to the javax.servlet.sip.SipFactory by looking it up through JNDI. The SIP Factory will be registered under the same name as the display name of your SIP servlet as illustrated in Example 2–12. The <display-name> in the sip.xml in this case must be "My sip app".
  Example 2–12 Accessing the Data for a SIP Session through JNDI
  InitialContext ic = new InitialContext();
  SipFactory sipFactory = (SipFactory)ic.lookup("sip/My sip app");"
  Cheers
  Lucas Persson

• I have problem with Access Connections on L412 after that utilyty upgrade

  I have problem with Access Connections on L412 after that utilyty upgrade in early August. Windows 7 Ultimate/x64.
  It stops connecting to WPA2 Enterprise (AES-CCMP), Microsoft PEAP, no server cert, with any credentials I try to use. The same account(s) works with native Intel manager on other notebooks and on mobile devices. I lost the wireless connectivity to enterprise WiFi network.
  And, after deinstallation of Access Connections, the inability to connect keeped intact with native Win7 WiFi management.
  I think, something was broken in Access Connections 5.83 Build 83C753WW and some registry settings/ dll modules were altered but not returned to normal after deinstall.

  Access Connections is definitely broken for WPA encryption.  Both versions 5.02 and 5.84 fail for me.  If I use the Windows XP wireless configuration instead of Access Connections, everything works.
  Does anyone know how to report this to Lenovo?  I chased links around the web site but couldn't find a place.

• Why do i have a problem with accessing images in adobe muse

  why do i have a problem with accessing images in adobe muse ??????!!!!!
  i need heeeeeelp ASAP
  pleeeeease

  I am on the begining stages with constructing the web so i do not have yet URL. The problem is i can not insert any image any way. Whether by fill a browser or by place image, i have the same issue. All the images with all image's format unable to be selected and it is turned off
  I really need help plz
  Is there any info i can supply that would help you figiring out the problem ??

• Can Play iTunes Library from PC on MacBook Air but cannot import, problem with access rights?

  I can play Itunes library from Windows Vista PC on my MacBook Air using homeshare but cannot import the library . Error message is problem with access rights. Latest OS and Itunes installed. Both computers registered with Apple on same Apple ID. Wifi Router turned on and off. Still does not allow importing. Any suggestions please?

  Might be an alternative for you here > iTunes: How to move your music to a new computer

• Just wondering if anyone has a problem with accessing iTunes store. have iTunes installed but can't bring up the store home page?

  Just wondering if anyone has a problem with accessing iTunes store. have iTunes installed but can't bring up the store home page?

  i have the same problem! Safari won't work either. Can anyone help please? I have completely restored my computer trying to fix this and it still won't work! I have a 2 month old alienware laptop running windows 7

• Problem with Acess policy based Provisioning using DBConnecor in OIM 11g R2

  Hi,
  I am doing Access policy based Provisioning using DB Connector 9.1.0.5.0 in OIM 11g r2.
  it is throwing ITResource Instance with key 0 does not exist. but there no option to select it resource in Process form via Acesspolicy.
  in Application instance form there is a form in that it-resource field is available with default value 0. i am trying to update this value it is not updating . at the time of triggering access policy i am getting following error.
  [XELLERATE.SERVER] [tid: [ACTIVE].ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 0000JdMSEGQApIGqywYfMG1GU6ud000002,0] [APP: oim#11.1.2.0.0] Class/Method: APIUtils/createApplicationInstance encounter some problems: ITResource Instance with key 0 does not exist.[[
  oracle.iam.provisioning.exception.ITResourceNotFoundException: ITResource Instance with key 0 does not exist.
       at oracle.iam.provisioning.util.ApplicationInstanceUtil.validateITResource(ApplicationInstanceUtil.java:119)
       at oracle.iam.provisioning.impl.ApplicationInstanceServiceImpl.addApplicationInstance(ApplicationInstanceServiceImpl.java:70)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy455.addApplicationInstance(Unknown Source)
       at oracle.iam.provisioning.api.ApplicationInstanceServiceEJB.addApplicationInstancex(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.oracle.pitchfork.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:34)
       at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
       at com.oracle.pitchfork.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:42)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
       at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
       at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
  its urgent requirement.
  Thanks,
  Edited by: 853559 on Oct 12, 2012 2:25 PM

  You can re-visit access policy It will have the Process form where you can provide the access policy and save it. Access policy is already created so you can modify access policy and open the process form select IT Resource and save it.
  Another way to write pre-pop adapter for populating IT Resource on the process form. But I am sure you can provide it resource via access policy.
  ---nayan

• Provisioing with Access Policy

  Hi All
  I have made one Access policy for Full-Time employees.
  I want that if admin creates a user who is Full-Time employee, it shouls automatically get provisioined with AD.
  I have made that Access Policy. But If Admin craetes one user who is Full-Time Employee then provisioing status goes into *"READY"* State.
  It stucks in Resource form.
  And in my resource form only one lookup field is there. And i have put Value already in that lookup.
  Could any one please tell me the solution for this.
  Thanks a lot!

  Hi
  I made access policy Without Approval.
  That extra field i.e. AD SERVER, I have already filled with ADITResource.
  Actually i have made one resource form, i'm giving value of AD Server from there & it is prepopulation in process form.
  But When user gp for provisioning then it stuck in Resource Form not in Process form. It shows status Ready.
  Is it possible to remove that Resource form from access policy, I think it may remove my problem ?
  But i don know how to remove resource form from Access Policy region.
  Please suggest.
  Thanks for these replies.

• Access Policy provisioning resources multiple times...

  Hi All
  I have AD User and Exchange provisioning using an Access Policy upon trusted reconciliation. Suddenly after creating a user through trusted recon it started provisioning AD user multiple times.This behavior is inconsistent.
  I have checked all the roles, rules and access policies.
  However, if I create the user manually, it works fine and as expected i.e it provisions only one resource.
  Please let me know if someone has observed this weird behavior.
  Regards
  user12841694

  I'm having the same problem:
  The first policy must create a resource.
  And the following policies should create childs on the resource.
  The problem here is that when policies will add the childs, the resource is not provisioned yet.
  And then each one will create a resource.
  When the resource is already provisioned, the policies update this resource.
  How can I fix this?
  tks

• Role getting revoked with Access Policy

  Hi,
  I have a Access Policy which will provision to a Resource Object with only one special role. Whenever a user belongs to the group according to a rule called USR_UDF_GLOBALSTATUS == Active, automatically user is getting provisioned to the Resource object with that Role as per the access policy.In this access policy, "Revoke if no longer applies" option is disabled for that Resource Object.
  Whenever for that user, USR_UDF_GLOBALSTATUS == Active is changed as USR_UDF_GLOBALSTATUS == InActive from reconciliation, the user is removed from that Group. Till here everything is fine. But the Special Role assigned to that user is also getting revoked. I haven't enabled "Revoke if no longer applies" option. But how come the role is getting revoked?
  According to my requirement, that special role should still stay even if the user is removed from the group. Please help...
  - Pavan

  Enable all logging. Check and see if the user was a member of more groups than just the one. There might be more than one access policy for the user, one that gives the resource with a base set of values for the parent form, and then another access policy that has a lower priority that provides the role. Also look at the Xellerate User object and check for any tasks that might be triggered on this change in value as well as other values. Your best bet is to look at the user and all their groups and resources. Then perform your change, and look on their resource profiles both in targets, and on the xellerate user object, and see what all tasks were inserted.
  -Kevin

• Connector problem with access enforcer

  Hi Guys,
  I am facing a really strange problem with my connectors.
  We have a test installation of GRC which was down for about 3 months.
  During this time we migrated our central SLD to another system so I needed to change the connection after getting the system up again.
  Anyhow I still can't modify, test or even create a new connector for access enforcer.
  The only error I get is "Action failed".
  I tried to analyze the logs but found no help there too.
  2007-06-18 20:41:56,833 [SAPEngine_Application_Thread[impl:3]_4] ERROR java.lang.NullPointerException
  java.lang.NullPointerException
       at com.virsa.ae.dao.sqlj.SAPConnectorDAO.iterToDTO(SAPConnectorDAO.sqlj:75)
       at com.virsa.ae.dao.sqlj.SAPConnectorDAO.findByConnectorName(SAPConnectorDAO.sqlj:15)
       at com.virsa.ae.configuration.bo.ConnectorsBO.findSAPConnectorDetails(ConnectorsBO.java:76)
       at com.virsa.ae.configuration.actions.ManageConnectorsAction.testConnection(ManageConnectorsAction.java:163)
       at com.virsa.ae.configuration.actions.ManageConnectorsAction.execute(ManageConnectorsAction.java:66)
       at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:229)
       at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:412)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java(Compiled Code))
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
       at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
       at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
       at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
       at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
       at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java(Compiled Code))
       at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java(Compiled Code))
       at java.security.AccessController.doPrivileged1(Native Method)
       at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java(Compiled Code))
       at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java(Compiled Code))
  Did anybody here face a problem like that?
  Kind regards,
  Bastian
  Message was edited by:
          Bastian Schneider
  Message was edited by:
          Bastian Schneider

  I had a simular problem with CC and I had to contact SAP. They gave me a script to run against the database that remove the connector. The problem seemed somewhat common for CC 5.1. Not sure if this applies to AE.