Provisioning existing users through Access Policies in OIM
Hi
I need to evaluate access policies for existing users in OIM.
My understanding on "Set User Provisioned Date" is...this scheduler will sets the provisioned date for user in user profile which inturn call entity adapter evaluatePolicies and should trigger Access Policy. Correct me if i am wrong.
But for all existing users Provisioned Date is already set through trusted recon. Will this scheduler(Set User Provisioned Date) replace with new date?
Sounds like silly question. But to confirm before testing this in production :)
Thanks
Yep
Running this schedule task will not sufficient. You'll have to select RETROFIT check box while creating Access Policy.
Similar Messages
-
Provision a RO several times with one user using Access Policies
Hello,
we need to provision several Unix machines and for this purpose, we use one only resource object (SSH User). Additionallyl, we created an access policy for every machine:
- Access Policy Unix Server 1
- Access Policy Unix Server 2
- Access Policy Unix Server N
We created the following group in OIM: SSH Group.
We set the policies in such a way that whenever a user is added to the SSH Group, the SSH User RO is provisioned with the user for every machine. We created several access policies, because the parameters of the form are different for every machine.
The problem is that when a user is added to the SSH Group, the SSH User resource object is provisioned only once. It is provisioned by the access policy with the highest priority. We would like that the SSH User RO was provisioned by every access policy. That is, the user should have the SSH User RO provisioned N times, after adding it to the SSH Group.
Is there any way to achieve this without creating a resource object for every Unix Machine? We need to provision more than 300 Unix machines and this would require a lot of time...
Thank you for your helpThere are other options. You could create a child table to hold the IT Resource information, assuming all parent data is the same for every system. Then on the insert/delete to child table entries, you can provision and de-provision from that target. On disable/enable you would need to search through the child table and perform the action against all instances. The same for the other update tasks.
This is the limitation of access policies. They manage a single resource object target instance. You could also code a generic resource that has child table entries. When an insert happens, you can use the APIs to provision and instance of the specific target with the provided details. Then you could create access policies to add entries to the child table, and each would provision the appropriate object, and deprovision too.
Takes some custom code, but it's doable. Just remember though that they are all still the same resource object, so reporting would show them all, as well as attestation, as a single instance, with multiple provisioned to each user.
Another option is to duplicate the work flow using find and replace in the XML and generate a unique workflow for each instance.
-Kevin -
Error encountered during provisioning of user to SAP CUP in OIM 11g R1 BP07
We recently updated our environment from 11.1.1.5 BP05 to 11.1.1.5 BP07.
We are facing an issue with provisioning users to SAP CUP system. We receive an error specifying :
Response: oracle.iam.connectors.sap.cup.ws.submitreq.ObjectFactory
Response Description: Unknown response received
However, we are unable to find any errors related in the log file. The SAP UM connector version is 9.1.2.5. Please let us know the cause of this issue.1. Login to Design Console and open your GTC provisioning process definition , then Add a new task called "Notify Email".
2. Check Required for Completion, Allow Cancel and optionally Disable Manual Insert.
3. In the Integration tab, add tcCompleteTask
4. In the assignment tab, add an entry with the Default rule, target type of User, and for the User field pick an existing user with a valid email address in their User Profile.
5. In the Notification tab add an entry and check Assignee, (You can select User, Manager etc ) have the Status field set to C and for the Email field pick a Provisioning type of Notification Template that you have already created.
N.B: 7. Make sure the IT Resource and email configuration properly otherwise you will not get the mail.
Thanks
Tamim Khan -
For auto-provisioning I have check marked "retrofit access policy" but the present users in OIM db is not provisioning users to assigned target systems. Does anyone knows which Scheduled task is responsible to do this?
Well I beleive the Schedule Task which needs to be run is the one mentioned previously only. i.e Set User Provisioned Date. It works, I dont know why its failing for you. Just check the configuration once again.
1) You created one new access policy, with retrofit flag check box selected.
2) You add n group to this Access policy as well.
3) All new members added to this group through auto-membership rules get the resource as speciifed in access policy.
4) Existing group members doesn't get provisioned to any groups.
5) You run the schedule task manually or it runs after 30 min's automatically and these users also get provisioned to resource.
This is how it works. This may be exactly what you did, but just for confirmation.
Thanks
Sunny -
Role based provisioning - need help in access policies
Hello experts,
We have the following requirement
1. If corresponding Role is not there then resource should not be allowed to get provisioned
2. And whenever Role is present for the user then corresponding reource provisioning should get triggerred automatically ?
Please advise whether the above could be achieved OOTB in OIM 11g ?875142 wrote:
1. After configuring the access policy still we could able to provision the resource manually without the role. How do we restrict it ? What needs to be done for that ?As far as I know there's no way to stop the administrator to go to the resource profile and manually assign the resource. May be you can try some authorization policies for that. But I am not sure.
2. We have a scenario in which we are disabling a user. This will deprovsion a resource say Retail. Then we are enabling that user again. Then ideally it should provision a new resource of Retail. But thats not happpening.Check this for it: Re: Help required with Access policy trigger on Enable User in OIM 11.1.1.5
Also here we have selected 'Retrofit Access Policy' flag and ran the 'Evaluate user ploicy' scheduled task but we could n't see any changes because of that.Retrofit Flag- If it is set to true, then all the users who already had a Role (before access policy was created) will also get evaluated. If set to false, then only newly added users to the role will be evaluated for access policy. What is the status of the resource when you disable the user the first time?
-Bikash -
How to get unique users through resource name using OIM 10g API
Hello,
I have a scenario where i have a resource 'TRY' with multiple request allowed,so if user 'A' requests for
resource 'TRY' 3 times then i can see in user 'A' resource profile 3 occurrences of resource 'TRY' & when i
use getAssociatedUsers() API it gives me 3 occurrences of user 'A',so is there any available API for searching
unique users based on resource name ?
Thank-You
Rahul ShahYou can get the logged in user name using the below java code:
ADFContext adfCtx = ADFContext.getCurrent();
SecurityContext secCntx = adfCtx.getSecurityContext();
String user = secCntx.getUserPrincipal().getName();
HTH -
Issue in OIM 11gR2Ps2 while provisioning using access policies
Hi,
we are provisioning resources using access policies, we are facing any issue while provisioning resource using two access policies. we are populating the main process form data using two access policies, according to the access policy priority we are seeing the first access policy form data value in the user process form, but the second access policy value is not showing in the user process form, for example we are populating processform fieldvalue1 using access policy1 and processform fieldvalue2 using access policy2.
Thank you,Hi,
we are facing issue in the following scenario
we are provisioning a resource based on the user position through access policies, for example a user position "contractor" is satisfies two rules based on the rules he will get two roles, these two roles trigger two access policies, and two access policies giving same resource for example "AD", in AD main process form there two lookups(lookup A,lookup B), we are giving looukp A value in acess policy1 and lookup B value in access ploicy2, when ever user gets AD resource through these roles, after provisioning when we see the user process form only lookup A value is there and lookup B is empty.But i want to get both lookup A,lookup B values, what i observed was based on the priority access policy values are comming to user resource form, the next access policy form values are not reflecting the user process form.
Thanks, -
How to Map OIA Provisioning policies to OIM Access Policies
Hi,
Access policies in OIM does not allow entitlements definition in it such as defining the AD Groups that needs to be attached to the account which would be provisioned on the target resource when the access policy gets triggered. These entitlements definition in OIM is taken care on the Process Form level, whereas in case of OIA the Provisioning polices allow entitlements definition according the resource type in the policy level. It would be of great help if you could help us in understanding how the import and export of access policy data between OIA and OIM would be feasible with these differences in place
Secondly the access policies defined in OIM can contain resources belonging to different resource types unlike the OIA where we can create access policies only pertaining to the selected resource type, Kindly let us know how the Import and Export process would workout in this scenarios as well
Appreciate your guidance and support
Thanks
AvinashHi,
Any helpful pointer on above mentioned scenario ?
Thanks,
RPB -
Provision Entitlements using Access Policy in OIM & OIA
Hi All,
Access policies in OIM does not allow entitlements definition in it such as defining the AD Groups that needs to be attached to the account which would be provisioned on the target resource when the access policy gets triggered. These entitlements definition in OIM is taken care on the Process Form level, whereas in case of OIA the Provisioning polices allow entitlements definition according the resource type in the policy level. It would be of great help if you could help us in understanding how the import and export of access policy data between OIA and OIM would be feasible with these differences in place
Appreciate any helpful pointer on this.
Thanks,
RPB
Message was edited by: RPB25You can edit the Access Policy, select the Resource added-Provide more information, If it has a child table, you can add entitlement to it. you can also add entitlement while exporting OIA policies using accesspolicy api of OIM. But just chek after importing to OIM, the access policies order will be messed.
sjit -
Self Service Requests for OIM Access Policies
In the absence of a Role Management product, is there a good way to enable OIM End User Self Service to process requests and approvals for OIM Access Policies or OIM Groups?
Any suggestions are appreciated!
KCUltimately the group membership will trigger an access policy. The access policy assignment is the goal, the group assignment is the typical method to assign the access policy to the user.
When creating a dummy resource, I assume that resource would have a lookup on the form to select the group name. Is this what you are suggesting?
KC -
Error while provisioning a user to EBS UM
Hi All,
I am trying to provisioning a user to EBS UM from OIM 11g R2 and it is remaining in provisioning state. When i checked the resource history in the Create User task it is saying the following
Invalid Person ID entered.
In the logs i found the below error....
*[2013-01-28T11:34:28.743-06:00] [oim_server1] [ERROR] [] [OIMCP.EBSUM] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: f6ba830da483e35d:-11dfaf49:13c66250769:-8000-0000000000007112,0] [APP: oim#11.1.2.0.0] ================= Start Stack Trace =======================*
*[2013-01-28T11:34:28.749-06:00] [oim_server1] [ERROR] [] [OIMCP.EBSUM] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: f6ba830da483e35d:-11dfaf49:13c66250769:-8000-0000000000007112,0] [APP: oim#11.1.2.0.0] oracle.iam.connectors.ebs.usermgmt.integration.EBSUserManagementHelper : isEmployeeExist*
*[2013-01-28T11:34:28.754-06:00] [oim_server1] [ERROR] [] [OIMCP.EBSUM] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: f6ba830da483e35d:-11dfaf49:13c66250769:-8000-0000000000007112,0] [APP: oim#11.1.2.0.0] Failed to check user in DB*
*[2013-01-28T11:34:28.760-06:00] [oim_server1] [ERROR] [] [OIMCP.EBSUM] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: f6ba830da483e35d:-11dfaf49:13c66250769:-8000-0000000000007112,0] [APP: oim#11.1.2.0.0] Description : ORA-00942: table or view does not exist[[*
*[2013-01-28T11:34:28.765-06:00] [oim_server1] [ERROR] [] [OIMCP.EBSUM] [tid: [ACTIVE].ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: f6ba830da483e35d:-11dfaf49:13c66250769:-8000-0000000000007112,0] [APP: oim#11.1.2.0.0] java.sql.SQLSyntaxErrorException: ORA-00942: table or view does not exist[[*
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:462)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:405)
at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:931)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:481)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:205)
at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:548)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:217)
at oracle.jdbc.driver.T4CPreparedStatement.executeForDescribe(T4CPreparedStatement.java:947)
at oracle.jdbc.driver.OracleStatement.executeMaybeDescribe(OracleStatement.java:1283)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1441)
at oracle.jdbc.driver.OracleStatement.doScrollExecuteCommon(OracleStatement.java:6629)
at oracle.jdbc.driver.OraclePreparedStatement.doScrollPstmtExecuteUpdate(OraclePreparedStatement.java:13502)
at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:3767)
at oracle.jdbc.driver.OraclePreparedStatement.executeQuery(OraclePreparedStatement.java:3823)
at oracle.jdbc.driver.OraclePreparedStatementWrapper.executeQuery(OraclePreparedStatementWrapper.java:1671)
at oracle.iam.connectors.ebs.usermgmt.integration.EBSUserManagementHelper.isEmployeeExist(Unknown Source)
at oracle.iam.connectors.ebs.usermgmt.integration.EBSUserManagement.createUser(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpEBSCREATEUSER.CREATEUSER(adpEBSCREATEUSER.java:218)
at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpEBSCREATEUSER.implementation(adpEBSCREATEUSER.java:96)
at com.thortech.xl.client.events.tcBaseEvent.run(tcBaseEvent.java:196)
at com.thortech.xl.dataobj.tcDataObj.runEvent(tcDataObj.java:2492)
at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(tcScheduleItem.java:3179)
at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(tcScheduleItem.java:752)
at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
at com.thortech.xl.dataobj.tcORC.insertNonConditionalMilestones(tcORC.java:847)
at com.thortech.xl.dataobj.tcORC.completeSystemValidationMilestone(tcORC.java:1162)
at com.thortech.xl.dataobj.tcOrderItemInfo.completeCarrierBaseMilestone(tcOrderItemInfo.java:744)
at com.thortech.xl.dataobj.tcOrderItemInfo.eventPostInsert(tcOrderItemInfo.java:173)
at com.thortech.xl.dataobj.tcUDProcess.eventPostInsert(tcUDProcess.java:235)
at com.thortech.xl.dataobj.tcDataObj.insert(tcDataObj.java:602)
at com.thortech.xl.dataobj.tcDataObj.save(tcDataObj.java:474)
at com.thortech.xl.dataobj.tcTableDataObj.save(tcTableDataObj.java:2910)
at com.thortech.xl.dataobj.tcORC.autoDOBSave(tcORC.java:3008)
at com.thortech.xl.dataobj.util.tcOrderPackages.createOrder(tcOrderPackages.java:471)
at com.thortech.xl.dataobj.util.tcOrderPackages.orderPackageForUser(tcOrderPackages.java:180)
at com.thortech.xl.dataobj.tcOIU.provision(tcOIU.java:637)
at com.thortech.xl.dataobj.tcOIU.eventPostInsert(tcOIU.java:357)
Any help is appreciated...thanks in advance
Edited by: 959118 on Jan 28, 2013 9:45 AMIt is clearly saying failed to check user in DB
Description : ORA-00942: table or view does not exist in the method "oracle.iam.connectors.ebs.usermgmt.integration.EBSUserManagementHelper : isEmployeeExist".
Check your connector installation again. -
Hi All,
I have OIM 11gR2 installed with LDAPSync enabled.
When tried to assign Role to User through membership rule, Role is successfully assigned to User in OIM, but it is not added in OID.
Role membership is added in OID when User requests Role through Catalog search. Also, Role membership is added in OID after running job 'LDAPSync Post Enable Provision Role Memberships to LDAP '.
How can I add Role membership in OID as soon as Role is assigned to User through membership rule in OIM ?Hi
It sounds like you have not selected anything on the Presentation & Data tab of the Workspace Startpoint/User Service.
You need to specify:
Your Asset (the form you want to present to the user)
An associated Action Profile (tells the server how you want the form rendered...typically it is set to Default which uses the Render PDF Form process)
The variable to hold your data(typically an xml variable)
Make sure these are set.
Diana -
How to Apply a Newly Created Access Policy on Existing Users in OIM?
When the rule is getting failed the user is getting removed from the group but resource is not getting revoked. This is happening only for the old uses..for the users which i created now it working fine..i mean its resource is getting revoked.
(Retrofit access policy" is checked on the Access Policyand Revoke if not longer applied is checked.)
For the old users i see the POl_Key is null, for new users i see a value '10'. So i updated the pol_key for old users same as it got generated for new users '10'.
i even updated the form version too but still revoke doesn't work.
I cant go for the below approach..
In order to apply a newly created Access Policy on existing users, one has to make sure that:
1) "Retrofit access policy" is checked on the Access Policy.
2) Then run the "Set User Provisioned Date" Schedule task to apply the Access Policy on the existing users in OIM.
Note: After 9.1.0.1 BP03 the access policy execution has been moved to a new scheduled task "Evaluate User Policies" as mentioned inDocument 839368.1 :How to Use Access Policies to Provision with Groups.
Is there any other approach i can try.. if you have any idea please reply me asap
Thanks..Thanks for the reply kevin..
We decided to try the Schedule task (Set User Provisioned Date).
But i see one problem here after seeing this post in metalik --> Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation? [ID 1136540.1]
According to this post Access Policies framework does not manage users who are obtained either through trusted reconciliation or target reconciliation.
Is there any custom way to achieve this??
How does the access policy framework revoke resource work? (revoke if no longer applies)??
Edited by: IDMuser19 on Jun 21, 2011 11:43 PM -
OIM 9.1.0.2 - Access Policies issue
Hi Gurus,
I have facing a strange behavior in the Access Policies features.
When users are inactived in the OIM, they should be removed from the groups associated to the AP, but the groups remain associated and because that the AP is triggered again provisioning resources to the users.
Has someone faced the issue?
Brgds,
CarlosWhat does all of your group membership rules look like? Are you sure your right side is the correct format? You can create a rule where Users.Status = "Active". Just need to make sure it's case sensitive so you'll want to check the database for existing values.
-Kevin -
Enabling a User through OIM API
Hi I am trying to enable a user through OIM API, However the end date is already passed for that user, I am setting up a new end date through the Program (showm below). However the update user is not working (i am not sure).
Map usermap = new HashMap();
usermap.put("Users.User ID", User_id );
Map grpmap = new HashMap();
grpmap.put("Groups.Group Name", Group_Name);
tcResultSet ts = userClient.findUsers(usermap); //find all users
String existing_end_date = ts.getStringValue("Users.End Date");
tcResultSet tg = groupClient.findGroups(grpmap); //find requireq group
long ukey = ts.getLongValue("Users.Key");
long gkey = tg.getLongValue("Groups.Key"); //find group key
// ENABLE THE USER
java.util.Date new_end_date = new java.util.Date(111,1,1);
Calendar cal = Calendar.getInstance();
cal.setTime(new_end_date);
DateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd hh:mm:ss");
String Str1 = dateFormat.format(cal.getTime());
String Str2 = existing_end_date + " 12:00:00";
System.out.println(User_id+" OLD End Date:" + Str2 + " New End Date: " + Str1);
Map usermap2 = new HashMap();
usermap2.put("Users.User ID", User_id );
usermap2.put("Users.End Date", Str1);
userClient.updateUser(ts,usermap2);
userClient.enableUser(ukey);
I am getting the following error:
U0000018 OLD End Date:2009-09-30 12:00:00 New End Date: 2011-02-01 12:00:00
2/12/2010 15:02:53 oracle.j2ee.rmi.RMIMessages EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
Thor.API.Exceptions.tcAPIException: The user cannot be enabled because the end date is passed.
Not sure why it is happening. It looks like the Updateuser is not working, or something else?
Please advise. Thanks in advance.Hi Suren,
thanks for the note.
I found that as soon as I enable the user, I am getting the followimg messages in the opmn logs:
INFO,06 Dec 2010 10:55:41,841,[XELLERATE.JAVACLIENT],System Event Handler: Validating Organization for an User.
INFO,06 Dec 2010 10:55:41,944,[XELLERATE.JAVACLIENT],System Event Handler: Triggering Processes related to User.
INFO,06 Dec 2010 10:55:42,402,[XELLERATE.JAVACLIENT],System Event Handler: Enabling the User
INFO,06 Dec 2010 10:55:42,421,[XELLERATE.JAVACLIENT],System Event Handler: Validating Organization for an User.
INFO,06 Dec 2010 10:55:42,427,[XELLERATE.JAVACLIENT],System Event Handler: Triggering Processes related to User.
INFO,06 Dec 2010 10:55:42,439,[XELLERATE.JAVACLIENT],System Event Handler: Changing application data based on Organization change.
INFO,06 Dec 2010 10:55:42,442,[XELLERATE.JAVACLIENT],System Event Handler: Auto-Group Membership Event.
INFO,06 Dec 2010 10:55:43,715,[XELLERATE.JAVACLIENT],System Event Handler: Evaluating User Policies
So, the access policies are getting evaluated, triggering provisioning processes.
What I am planning to do is, to disable the access policies and try to run the Program.
Because of this issue, my Program is throwing an error (until I looked into the opmn logs, it doesn't make sense).
6/12/2010 10:55:50 oracle.j2ee.rmi.RMIMessages EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
WARNING: Exception returned by remote server: {0}
Thor.API.Exceptions.tcAPIException: Error occurred enabling Xellerate User instance.
Regards
Vijay Chinnasamy
Maybe you are looking for
-
Ive tried to reset my iclouds password but its not working
i need to activate iphone 4s, ive tried on my laptop to re-set it but its not working, ive been trying for the pass 3hours? i just want to use my phone again? i cant remember setting a password? I aslo cant remember if i created two different passwor
-
I'm trying to create an insert trigger that will do the following: 1.) Grab the next sequence number from a sequence and use it as the value for the id_number column. 2.) Grab the SYSDATE and use it as the value for the create_date column. I'm using
-
After suddenly turning itself off last night while running a benchmark, my notebook won't turn on amymore. At the time it was running on mains power without battery in. Ive tried disconnecting everything and then running on battery and was unsuccess
-
Scaling pics on the new ios7 on my iPad 2 is not working when I try to set a pic as my new wall paper. It's a glitch please fix it
-
Screen capture function (Shift-Command-3 or 4) doesn't work
When I try to do a screen capture using the built-in utility, I hear the camera-click, but then get an error message saying the capture couldn't be completed because of this error: "unable to create type string". How do I fix this? Note: I normally u