Reconcile AD group users to OIM Organization

Similar Messages

• How to reconciile AD group user to OIM

  Hi experts,
  I need to write scheduled task to perform reconciile AD group user to OIM.
  I did search on forum I got useful thread:
  Reconcile AD group users to OIM Organization
  If provide some steps to do this ,it will be helpful for me.
  Thanks

  For detailed information , look at the MS AD user management connector. The connector comes with scheduled tasks. All you need to specify is from which group users have to be reconciled.
  http://download.oracle.com/docs/cd/B31337_01/doc.901/b31119.pdf
  Read the documentation from above link to get more information.

• Reconciliation ad users into an Organization

  Hi *,
  I'm trying to run a reconciliation of ad users into oim.
  1) In the "AD User Trusted Recon" schedule task, "OIM Organization" parameter,
  when I set this parameter to "Xellerate Users", reconciliation run succeful. User is created on Xellerate Users organization.
  But, when I try to give a different value (i.e. An organization name that we have created..For example, say "Demo"), it gives following error...
  2009-11-16 04:40:19,467 ERROR [XELLERATE.SERVER] Class/Method: tcUSR/eventPreInsert Error :Mandatory fields are blank or null.
  2) In current users in AD, they don't have an end date set. So, after reconciling those ad users to oim, I will set the end date from back end (i.e. by updating the OIM usr table manually). Will it trigger the "Update <field_name" task?
  Regards,
  Chaturanga

  Hi,
  Thanks...But, when I change that value, I got an error....I will try that again.....
  But, now i'm having another problem.....
  I reconcile users from AD to oim using "AD User Trusted Recon"....But, this will not create any thing on "Resource Object" part of the user's profile...
  So, after that i run the "AD User target recon"....This create a result on the "Resource Object" part of the OIM user's profile....
  Resource Name -> AD User
  Status -> Enable
  Is this the correct way of reconciling user information....Otherwise, if I do not run the "AD User target recon", there is no indication or connection between OIM User profile and AD....
  And another.....do I have to add "Change <field_name>" tasks on "AD User" provisioning process to update changes made in the OIM User's profile edit page to AD process form??
  Regards,
  Chaturanga

• OIM-OID Connector: OID Group Recon Task and organizations

  Hi,
  I'm evaluating OIM and its OID Connector.
  We have groups in our existing OID. We thought that we could use the OID Connector OID Group Recon Task to import those groups into OIM and make them Groups in OIM.
  However, when we run the task, it appears to import our groups from OID as organizations, not as groups. It's not clear to me from the OID Connector documentation what exactly the OID Group Recon task is supposed to do. That's why we assumed it was an OOTB method for reconciling OID groups into OIM groups.
  What are we doing wrong? Why do we end up with our OID Groups becoming OIM Organizations after running the task?
  We are using version 9.4.11 of the OID Connector.
  Also, a side issue: how can we delete unwanted organizations from OIM? There's a delete option but it just seems to mark the organizations as deleted but they are still there.
  Thanks
  Eric
  Edited by: PeachEye on 17/03/2010 11:49

  Hi,
  I am also facing the similar issue. I want to reconcile OID groups into OIM User Groups menu item. Please suggest how to proceed.
  I ran the schedule task- OID Group Recon Task, but it throws error-
  ERROR,12 Mar 2010 09:16:44,265,[XL_INTG.OID],OID:tcTskOIDGrouporRoleReconTask:pe
  rformReconciliation():com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:
  NamingException :Unable to search LDAP. Check the following values and try agai
  n: Base Search detail: cn=abc,ou=Q System1,dc=xoserve-apps,dc=com, filter expres
  sion is (&(objectClass=groupOfUniqueNames)(modifytimestamp>=19000101010001Z)), A
  ttributes : DN, modifytimestamp, Organization Name, orclguid, cn,]
  ERROR,12 Mar 2010 09:16:44,281,[XL_INTG.OID],===================================
  I want to bring OID groups into OIM so that I can manager those OID groups from OIM. Is there any other way to so this? I have to make changes in the OID object class or in the OID field mappings? I have not done any changes in Lookup OID configuration or LookUp Field map parameters.
  Please help.

• OIM 10g Event Handler : Integrated with User Groups.User Members

  I have created custom event handler and integrated it with User Groups.User Members data object.
  here is my code od event handler class:
  public class GroupEventHandler extends tcBaseEvent {
       public GroupEventHandler() {
            this.setEventName("Event Handler Sample");
       protected void implementation() throws Exception {
            System.out.println("============@@@@@@@@ IN EVENT HANDLER ");
            try
            String groupKey = this.getDataObject().getString("Groups.Key");
            writeToFile(groupKey);
            catch (Exception e)
                 e.printStackTrace();
  But I am getting this exception :
  ERROR [ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)' XELLERATE.SERVER - Class/Method: tcTableDataObj/getString encounter some problems: Column 'GROUPS.KEY' not found
  com.thortech.xl.dataaccess.tcDataSetException: Column 'GROUPS.KEY' not found
       at com.thortech.xl.dataaccess.tcDataSet.getColumnIndex(Unknown Source)
       at com.thortech.xl.dataaccess.tcDataSet.getString(Unknown Source)
       at com.thortech.xl.dataobj.tcTableDataObj.getString(Unknown Source)
       at oim.GroupEventHandler.implementation(GroupEventHandler.java:19)
       at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.eventPostInsert(Unknown Source)
       at com.thortech.xl.dataobj.tcUSG.eventPostInsert(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
       at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
       at com.thortech.xl.ejb.beansimpl.tcGroupOperationsBean.addMemberUsers(Unknown Source)
       at com.thortech.xl.ejb.beans.tcGroupOperationsSession.addMemberUsers(Unknown Source)
       at com.thortech.xl.ejb.beans.tcGroupOperations_ejm77u_EOImpl.addMemberUsers(tcGroupOperations_ejm77u_EOImpl.java:1671)
       at Thor.API.Operations.tcGroupOperationsClient.addMemberUsers(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at Thor.API.Base.SecurityInvocationHandler$1.run(Unknown Source)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.security.Security.runAs(Security.java:41)
       at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(Unknown Source)
       at Thor.API.Base.SecurityInvocationHandler.invoke(Unknown Source)
       at $Proxy66.addMemberUsers(Unknown Source)
       at com.thortech.xl.webclient.actions.UserGroupMembersAction.assignMemberUsers(Unknown Source)
       at com.thortech.xl.webclient.actions.UserGroupMembersAction.assignGroupMembers(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:280)
       at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(Unknown Source)
       at com.thortech.xl.webclient.actions.tcActionBase.execute(Unknown Source)
       at com.thortech.xl.webclient.actions.tcAction.execute(Unknown Source)
       at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
       at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
       at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
       at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:525)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at com.thortech.xl.webclient.security.SecurityFilter.doFilter(Unknown Source)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3592)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2202)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2108)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1432)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)

  Anyone have idea about why "Groups.Key" not found exception thrown here..
  I have assigned this event handler at postinsert event of User Groups.User Members Data Object.

• How to hide users' (and roles and organization) list from a user in OIM

  Hi,
  Admin (xelsysadm) has created a user in OIM. Now if that user is logged in to OIM Self Service (http://<url>/identity), he can see other user in his organization, along with list of roles, role categories, organizations etc. I have requirement to hide all the administration links from end user. Right now, he only has "All Users" role, and doesn't have any admin role, but can see all these administration links. What do I need to do to hide these links from end user? Do need to remove "All Users" role, or assign any other role, or do something in entitlement or in access policy ??
  Thanks.

  Thanks Karthik for you reply. It helped a lot.
  Steps, just for reference...
  1). Create SandBox
  2). Activate
  3). Customze and view by source
  4). Select your link which you want to hide
  5). Edit Visible properties and use #{oimcontext.currentUser.roles['SYSTEM ADMINISTRATORS'] != null}
  6). Save
  7). Publish
  8). Test
  Edited by: 966405 on Feb 20, 2013 3:50 PM

• Show/Search Users from specific organization in OIM

  Hello Everyone,
  I have a requirement where in when a request is submitted and forwarded to say Manager. Now, Manager should reassign the task to other user who is from particular organization say MyOrg1. Is it possible to implement this. Currently, when I try to reassign the task to some other user, it provides me users from all the Organizations. It should show only those users who are from MyOrg1 and should not show users from other Organizations.
  Please let me know.
  Thanks,

  In R2 it is very simple. just provide Organization Viwer/Administrator Admin Role on other organization to Manager . Now manager can assign to other user who exist under other org.
  I don't know if it is possible in R1. you can check with the Object PermPolicy. do the same as R2. I mean provide viwer permission on this organization
  Look at data object permission tab and there also you can provied read access for Organization Admin role.
  For R1 find below link
  http://docs.oracle.com/cd/E21764_01/doc.1111/e14316/org_mangmnt.htm#CHDFBDDB
  and
  http://docs.oracle.com/cd/E21764_01/doc.1111/e14316/org_mangmnt.htm#BABGFGAJ

• Enabling a User through OIM API

  Hi I am trying to enable a user through OIM API, However the end date is already passed for that user, I am setting up a new end date through the Program (showm below). However the update user is not working (i am not sure).
  Map usermap = new HashMap();
  usermap.put("Users.User ID", User_id );
  Map grpmap = new HashMap();
  grpmap.put("Groups.Group Name", Group_Name);
  tcResultSet ts = userClient.findUsers(usermap); //find all users
  String existing_end_date = ts.getStringValue("Users.End Date");
  tcResultSet tg = groupClient.findGroups(grpmap); //find requireq group
  long ukey = ts.getLongValue("Users.Key");
  long gkey = tg.getLongValue("Groups.Key"); //find group key
  // ENABLE THE USER
  java.util.Date new_end_date = new java.util.Date(111,1,1);
  Calendar cal = Calendar.getInstance();
  cal.setTime(new_end_date);
  DateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd hh:mm:ss");
  String Str1 = dateFormat.format(cal.getTime());
  String Str2 = existing_end_date + " 12:00:00";
  System.out.println(User_id+" OLD End Date:" + Str2 + " New End Date: " + Str1);
  Map usermap2 = new HashMap();
  usermap2.put("Users.User ID", User_id );
  usermap2.put("Users.End Date", Str1);
  userClient.updateUser(ts,usermap2);
  userClient.enableUser(ukey);
  I am getting the following error:
  U0000018 OLD End Date:2009-09-30 12:00:00 New End Date: 2011-02-01 12:00:00
  2/12/2010 15:02:53 oracle.j2ee.rmi.RMIMessages EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
  WARNING: Exception returned by remote server: {0}
  Thor.API.Exceptions.tcAPIException: The user cannot be enabled because the end date is passed.
  Not sure why it is happening. It looks like the Updateuser is not working, or something else?
  Please advise. Thanks in advance.

  Hi Suren,
  thanks for the note.
  I found that as soon as I enable the user, I am getting the followimg messages in the opmn logs:
  INFO,06 Dec 2010 10:55:41,841,[XELLERATE.JAVACLIENT],System Event Handler: Validating Organization for an User.
  INFO,06 Dec 2010 10:55:41,944,[XELLERATE.JAVACLIENT],System Event Handler: Triggering Processes related to User.
  INFO,06 Dec 2010 10:55:42,402,[XELLERATE.JAVACLIENT],System Event Handler: Enabling the User
  INFO,06 Dec 2010 10:55:42,421,[XELLERATE.JAVACLIENT],System Event Handler: Validating Organization for an User.
  INFO,06 Dec 2010 10:55:42,427,[XELLERATE.JAVACLIENT],System Event Handler: Triggering Processes related to User.
  INFO,06 Dec 2010 10:55:42,439,[XELLERATE.JAVACLIENT],System Event Handler: Changing application data based on Organization change.
  INFO,06 Dec 2010 10:55:42,442,[XELLERATE.JAVACLIENT],System Event Handler: Auto-Group Membership Event.
  INFO,06 Dec 2010 10:55:43,715,[XELLERATE.JAVACLIENT],System Event Handler: Evaluating User Policies
  So, the access policies are getting evaluated, triggering provisioning processes.
  What I am planning to do is, to disable the access policies and try to run the Program.
  Because of this issue, my Program is throwing an error (until I looked into the opmn logs, it doesn't make sense).
  6/12/2010 10:55:50 oracle.j2ee.rmi.RMIMessages EXCEPTION_ORIGINATES_FROM_THE_REMOTE_SERVER
  WARNING: Exception returned by remote server: {0}
  Thor.API.Exceptions.tcAPIException: Error occurred enabling Xellerate User instance.
  Regards
  Vijay Chinnasamy

• Can't Provision user from OIM to AD (manaul provis

  can't Provision user from OIM to AD (manual provisioning ) failed with Error
  the following is connector server log
  ==========================================
  DateTime=2012-07-18T08:39:32.8713100Z
  ConnectorServer.exe Error: 0 : System.ArgumentNullException: Value cannot be null.
  Parameter name: Parameter 'uid' must not be null.
  at Org.IdentityConnectors.Common.Assertions.NullCheck(Object o, String param)
  at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.UpdateImpl.ValidateInput(ObjectClass objclass, Uid uid, ICollection`1 attrs, Boolean isDelta) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1568
  at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.UpdateImpl.Update(ObjectClass objclass, Uid uid, ICollection`1 replaceAttributes, OperationOptions options) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 1365
  at Org.IdentityConnectors.Framework.Impl.Api.Local.Operations.ConnectorAPIOperationRunnerProxy.Invoke(Object proxy, MethodInfo method, Object[] args) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\ApiLocalOperations.cs:line 244
  at ___proxy1.Update(ObjectClass , Uid , ICollection`1 , OperationOptions )
  at Org.IdentityConnectors.Framework.Impl.Server.ConnectionProcessor.ProcessOperationRequest(OperationRequest request) in c:\ADE\aime_icf\icf\framework\dotnet\FrameworkInternal\Server.cs:line 609
  DateTime=2012-07-18T08:39:37.8558126Z
  1- iam using OIM 11.1.1.5 / applied patch p13704894_111150
  2- this the target system LDAP on Windows Server 2008 R2 Entrprise version 6.1(7601) , Service Pack 1
  3- and the connector server and connector version , activedirectory-11.1.1.5.0 , Connector_Server_111150
  i noticed that for any user i create on OIM objectGUID is 0 , i can read groups and organizations from LDAP with no errors
  please support

  This issue is coming because your object guid is not getting synchronized properly. Login to design console and open AD User form. Go to pre-populate tab. Open prepop adapter for User Principal name. Here bydefault IT resource name passed is Active Directory whereas you should have your IT server name which I think bydefault is AD Server. In the Mapto section select Process data and qualifier field will have AD server. Click on save button. Save your form.
  Retry your test case now. This will resolve your problem.
  regards,
  GP

• OVD/OID group reconciliation in OIM 11g with LDAP sync

  Hi All!
  Is it possible to reconcile OID groups to OIM using LDAP sync? How to achieve such configuration?
  I have OIM with LDAP sync and user and roles provisining to OVD is working.
  best
  mp

  Hi,
  I want to Integrate OIM and OID. Can you guide me in doing so?. The platform I will use is Windows 2003 Server, OIM version is 9.1. Also please tell me which version of OID i should use.
  Note: I am new to OID and OIM.
  Thanks in advance.
  Regards,
  Kazmi

• Search users in OIM from Admin Console

  Hi,
  I am trying to search for users logging into admin console as a end user. But my search didnot result any users though there are many users in OIM. I have given all the permissions available to the group in which this user is present and Manage User menu item to that group.
  Can anyone one please let me know, if the end-user will ever be able to search for other users in OIM ?
  PS: If I add the end user group as sub-group to sysadm group, then everythin works fine, But this is not the solution for me!!
  Thanks in Advance

  Permissions to view users are done at the organization level. If you want a specific group of users to be able to search for other users, create a group. then go to manage organizations and select administrative groups from the drop down. Add that group with at least read permissions. Usually if i know requests and such will need to be submitted for other users, i give all users read access to the main organization.
  -Kevin

• Provisioning: Users from OIM to Active Directory

  Dear Experts!
  I am trying to setup provisionig from OIM to AD. I just want to provision Users from OIM to AD.
  I am going through this documentation/tutorial:
  http://download.oracle.com/docs/cd/E11223_01/doc.910/e11197/deploy.htm#insertedID0
  i also read this:
  http://www.oracle.com/technology/obe/fusion_middleware/im1014/oim/ad_provision/prov2ad.htm
  But it just won't work. The provisioned resource get's always status rejected in the (To-Do List --> Open Tasks).
  Then i tried to test the connection to AD using this documentation:
  http://download.oracle.com/docs/cd/E11223_01/doc.910/e11197/testing.htm
  And i get this error in the console:
  http://img689.imageshack.us/img689/3190/errorq.png
  The IT resource: ADITResource looks like this:
  Remote Manager Prov Script Path:     
  Admin FQDN: [email protected]
  Use SSL: no
  Remote Manager Prov Lookup: AtMap.AD.RemoteScriptlookUp
  Target Locale TimeZone: GMT
  Port Number: +636+
  AtMap ADUser: AtMap.AD
  ADGroup LookUp Definition: Lookup.ADReconciliation.GroupLookup
  isUserDeleteLeafNode: no
  Allow Password Provisioning: no
  UPN Domain: domain-test.local
  AtMap ADGroup: AtMap.ADGroup
  ADAM LockoutThreshold Value: +5+
  isADAM: no
  Admin Password: *********
  Invert Display Name: no
  Root Context: dc=domain-test,dc=local
  Server Address: testing-server.domain-test.local
  Could be the problem that i don't use SSL? I don't set Passwords in AD, i have read that then i don't need SSL...?
  I am new to OIM, so your response is greatly appreciated!
  Thank you very much in advance!

  Hello again Raj!
  Thank you for your answer. You have always good ideas...
  *1) Whats the response that you are getting from AD for this operation. Check this as following:*
  Go to Users->UserABC->(Resource Profile from Drop down)->(Click your particular resource instance)->(Select the rejected task precisely "Create User")_
  I get this on the Task Name - Create User:
  Status:Rejected
  Response: Please Select the Organization or Container Name from Organization Name Lookup
  Response Description: Please Select the Organization or Container Name from Organization Name Lookup
  But i can't get to populate the Organization Name on the user form, because there are no values available.
  Under Error Details there is nothing.
  *2) If your IT resource parameters are incorrect, you will get a connection error in logs. Your port information is correct, it has to be Port->389 and Use SSL-no*
  I have created a new IT resource without SSL. Just to test the connection to AD. It works because I get “Successfully established connection to the AD_Test_without_SSL.”
  Bellow is my NEW configuration for the IT Resource.
  IT Resource Name:* AD_Test_without_SSL
  IT Resource Type:* AD Server
  ADAM LockoutThreshold Value:* 5
  ADGroup LookUp Definition:* Lookup.ADReconciliation.GroupLookup
  Admin FQDN:* [email protected]
  Admin Password:* *********
  Allow Password Provisioning:* no
  AtMap ADGroup:* AtMap.ADGroup
  AtMap ADUser:* AtMap.AD
  Invert Display Name:* no
  isADAM:* no
  isUserDeleteLeafNode:* no
  Port Number:* 389
  Remote Manager Prov Lookup:* AtMap.AD.RemoteScriptlookUp
  Remote Manager Prov Script Path:*
  Root Context:* dc=domain-test,dc=local
  Server Address:* testing-server.domain-test.local
  Target Locale TimeZone:* GMT
  UPN Domain:* domain-test.local
  Use SSL:* no

• Provisioning Sun directory Server to a User in OIM

  I am learning a OIM tool since 2 months, I could not able to do provisioning sun directory server to a user in OIM, the error is I am not getting the value for Organization DN. I am using ODSEE 11.1.1.5.0 and OIM 11.1.1.5.0. I have followed below steps
  1. Copy Connector and External Code Files.
  2. Configure Oracle Identity Manager Server.
  3. Import an Oracle Identity Manager Connector.
  4. Define an IT Resource.
  5. Create a User.
  6. Assign the Connector to a User.
  Please anyone suggest me solution for this problem.

  Hi,
  You need to run organization lookup reconciliation first then select value in the process form.
  If you are getting particular error, paste error messages from console?
  Regards,
  Raghav.

• How to Apply a Newly Created Access Policy on Existing Users in OIM????????

  How to Apply a Newly Created Access Policy on Existing Users in OIM?
  When the rule is getting failed the user is getting removed from the group but resource is not getting revoked. This is happening only for the old uses..for the users which i created now it working fine..i mean its resource is getting revoked.
  (Retrofit access policy" is checked on the Access Policyand Revoke if not longer applied is checked.)
  For the old users i see the POl_Key is null, for new users i see a value '10'. So i updated the pol_key for old users same as it got generated for new users '10'.
  i even updated the form version too but still revoke doesn't work.
  I cant go for the below approach..
  In order to apply a newly created Access Policy on existing users, one has to make sure that:
  1) "Retrofit access policy" is checked on the Access Policy.
  2) Then run the "Set User Provisioned Date" Schedule task to apply the Access Policy on the existing users in OIM.
  Note: After 9.1.0.1 BP03 the access policy execution has been moved to a new scheduled task "Evaluate User Policies" as mentioned inDocument 839368.1 :How to Use Access Policies to Provision with Groups.
  Is there any other approach i can try.. if you have any idea please reply me asap
  Thanks..

  Thanks for the reply kevin..
  We decided to try the Schedule task (Set User Provisioned Date).
  But i see one problem here after seeing this post in metalik --> Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation? [ID 1136540.1]
  According to this post Access Policies framework does not manage users who are obtained either through trusted reconciliation or target reconciliation.
  Is there any custom way to achieve this??
  How does the access policy framework revoke resource work? (revoke if no longer applies)??
  Edited by: IDMuser19 on Jun 21, 2011 11:43 PM

• Can I create administrator user in OIM

  Hi
  Can I create a new Administrator user in OIM?
  What I mean by Administrator user is, It should be able to do all operations which "XELSYSADM" user can do.
  Thanking You
  Kiran Thakkar

  In OIM access rights are not at user level. Instead they are at group level. xelsysadm is a special predefined user that belongs to SYSTEM ADMINISTRATORS group and hence he has access to everything. Similarly any user you create and make a member of SYSTEM ADMINISTRATORS group will have all access same as xelsysadm