Reconciliation from HR

Dear People,
I will tell you the scenario that is the the typical in an IdM solution. We are reconciliating from HR (Meta4, PeopleSoft, etc). So, I have a doubt. We need to charge the manager. What happen when the manager is reconciled at the same time that the new user? For example:
User1 is employee of Manager1. But in the recon events, it first loads User1 and then Manager1. As Manager1 isn't an user yet in OIM, the manager field will fail. So, if after then we throw a new full recon it will work because Manager1 is created now. Is there a way to make it in one step of the Trusted Source Recon event? My idea is to left a reconciliation, for example, 2 times per day, and that OIM can resolve this situations without getting inside the recon jar code.
Thanks!

I would probably create a UDF in User Object and store the manager ID in that UDF during recon. Then have a scheduled task that will read all users that have the UDF field populated during recon, set the manager ID field with value from UDF, reset the UDF and save the form. This will eliminate the issue of having Manager present in OIM before the user in reconciled.
- Aman

Similar Messages

  • User not created in OIM 11gr2 - trusted reconciliation from OID

    Hello,
    in my tests I'm trying to do a trusted reconciliation from OID to OIM.
    I checked the errors below in the log file and I checked the column on the database. The column is there but I can't understand why this error appear.
    I did a select on this table and this column is empty (select RA_USERLOGIN7C7B96D4 from RA_OIDTRUSTEDUSERBCBD344A).
    INFO: Generic Information: select USR_KEY from usr where USR_MIDDLE_NAME is null and USR_UDF_ORCLGUID=? and USR_FIRST_NAME=? and USR_EMAIL=? and USR_LAST_NAME=? and USR_STATUS=? and USR.USR_STATUS != 'Deleted' AND ((UPPER(USR.USR_LOGIN)=UPPER(RA_OIDTRUSTEDUSERBCBD344A.RA_USERLOGIN7C7B96D4)))
    INFO: Generic Information: Params = [CF7C29EE75F5A78FE040A8C084000DE8, orcladmin, orcladmin, orcladmin, Enabled]
    SEVERE: Generic Information: {0}
    oracle.iam.reconciliation.exception.DBAccessException: Failed SQL:: select USR_KEY from usr where USR_MIDDLE_NAME is null and USR_UDF_ORCLGUID=? and USR_FIRST_NAME=? and USR_EMAIL=? and USR_LAST_NAME=? and USR_STATUS=? and USR.USR_STATUS != 'Deleted' AND ((UPPER(USR.USR_LOGIN)=UPPER(RA_OIDTRUSTEDUSERBCBD344A.RA_USERLOGIN7C7B96D4))) =>PARAMS:: [CF7C29EE75F5A78FE040A8C084000DE8, orcladmin, orcladmin, orcladmin, Enabled]
    at oracle.iam.reconciliation.utils.DBAccessTemplate.executeQuery(DBAccessTemplate.java:71)
    at oracle.iam.reconciliation.impl.BaseEntityTypeHandler.executeSql(BaseEntityTypeHandler.java:508)
    at oracle.iam.reconciliation.impl.UserHandler.getMatchingKeys(UserHandler.java:601)
    at oracle.iam.reconciliation.impl.ReconOperationsServiceImpl.ignoreEvent(ReconOperationsServiceImpl.java:556)
    at oracle.iam.reconciliation.impl.ReconOperationsServiceImpl.ignoreEvent(ReconOperationsServiceImpl.java:535)
    at sun.reflect.GeneratedMethodAccessor3188.invoke(Unknown Source)
    at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
    Caused by: java.sql.SQLSyntaxErrorException: ORA-00904: "RA_OIDTRUSTEDUSERBCBD344A"."RA_USERLOGIN7C7B96D4": invalid identifier
    at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:462)
    at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:405)
    at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:931)
    at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:481)
    at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:205)
    After this error the log shows:
    SEVERE: oracle.iam.connectors.icfcommon.recon.SearchReconTask : handle : Recon event skipped
    oracle.iam.connectors.icfcommon.exceptions.OIMException: Thor.API.Exceptions.tcAPIException: Child tables only supported at account-level
    at oracle.iam.connectors.icfcommon.service.oim11.OIM11Reconciliation.processEvent(OIM11Reconciliation.java:101)
    Please help me on this and tell me if I am missing something here.
    Thanks

    I've found something that worked for me. When executing the trusted recon schedule task, the "Configuration Lookup" field in the "OID Server" IT Resource has to have the value "Lookup.OID.Configuration.Trusted". On the other hand, when executing the user sync recon schedule task, this field must have the value "Lookup.OID.Configuration.Trusted".
    The lookups' names can be different if you've manually renamed them.
    --jtellier                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

  • Reconciliation from LDIF files

    Hello there,
    Can we perform reconciliation from ldif files? Is there anyway we can do that?
    I am trying to extract user profiles from Tivoli directory to OIM database. The output from tds is in the form of ldif.
    Thanks in advance.

    Absolutely, but you are going to need to write it yourself. You just need a scheduled task that reads in the ldif entries, converts them to hashmaps and call the appropriate tcReconciliationOperationsIntf methods to submit the events.
    Alternatively, convert the ldif to a csv (there are lots of scripts out there to do this and if you are handy with perl is it not difficult) and use the GTC flat file recon.

  • Custom code for Target Source Reconciliation from a flat file

    Hi Experts,
    I need help in writing a custom code for Target Source Reconciliation from a flat file to OIM. The flat file will contain account details for different application instances. I am working on 11gr2.
    Thanks,
    Subin

    All right, all right, not so quickly.
    I am at the stage of trying to put one dimension
    array. But I stuck in one place, this is the program:
    import java.io.*;
    public class FromFile {
    public static void main(String[] args) throws IOException {
    File inputFile = new File("mac.txt");
    FileReader in = new FileReader(inputFile);
    int c;
    for(int i = 0; i < 10; i++) {
         c = in.read();
    System.out.println(c);
    and I try to read: 1 2 3 4 from text file
    This is the result so far...
    49
    32
    50
    32
    51
    32
    52
    -1
    -1
    -1
    well,
    I think I know what's wrong. I must change ASCII numbers into
    ints. But I dont' know how to do it. Some nice book, or
    tutorial on streams would come in handy. Could you correct
    it?.

  • Not able to run a reconciliation from IDM on a the securID/ACE server UNIX

    I have configured a securID/ACE adapter in IDM 7.1 so that it can provision updates of user accounts. RSA 6.1.2 server is running on Linux RHEL 2.6.9. I am able to connect to RSA form IDM, but when I run a reconciliation I get the following error,
    Error iterating accounts for resource RES-User-RSA-Projects:
    com.waveset.util.WavesetException: Trouble constructing User 'null'
    Below is the stack trace that I extracted from IDM (debug): The stack below tells me that IDM is not able to establish a connection to the RSA server. I have made sure that the login account that I am using in the RSA adapter parameters belongs to the same group that owns /opt/ace/utils/tcl/bin/tcl-sd.
    Is there anything else I need to do? Has anybody out there faced a similar issue and found a resolution?
    SecurIdUnixResourceAdapter#getFeatures() Entryno args
    SecurIdUnixResourceAdapter#getFeatures() Exit void
    SecurIdUnixResourceAdapter#getFeatures() Entry no args
    SecurIdUnixResourceAdapter#getFeatures() Exit void
    SecurIdUnixResourceAdapter#getFeatures() Entry no args
    SecurIdUnixResourceAdapter#getFeatures() Exit void
    SecurIdUnixResourceAdapter#getLoginScript() Entry no args
    SecurIdUnixResourceAdapter#getTclshPath() Entry no args
    SecurIdUnixResourceAdapter#getTclshPath() Exit returned= /opt/ace/utils/tcl/bin/tcl-sd
    SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
    SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 24
    SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
    SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 2
    SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
    SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 6
    SecurIdUnixResourceAdapter#getUserExtensionMapNames() Entry no args
    SecurIdUnixResourceAdapter#getUserExtensionMapNames() Exit void
    SecurIdUnixResourceAdapter#getLoginScript() Exit void
    SecurIdUnixResourceAdapter#getAccountIteratorscript() Entry no args
    SecurIdUnixResourceAdapter#procSetup() Entry no args
    SecurIdUnixResourceAdapter#procSetup() Exit void
    SecurIdUnixResourceAdapter#procTearDown() Entry no args
    SecurIdUnixResourceAdapter#procTearDown() Exit void
    SecurIdUnixResourceAdapter#getAccountIteratorscript() Exit void
    SecurIdUnixResourceAdapter#getAccountIteratorResult() Entry no args
    SecurIdUnixResourceAdapter#getAccountIteratorResult() Exit void
    SecurIdUnixResourceAdapter#constructUser() Entry no args
    SecurIdUnixResourceAdapter#constructUser() Info Database connection is not established!
    SecurIdUnixResourceAdapter#getFeatures() Entry no args
    SecurIdUnixResourceAdapter#getFeatures() Exit void

    Anybody out there who has configured SUN IDM to provision into RSA SecureID Ace/Server UNIX? Any help on this is greatly appreciated!

  • Getting error during reconciliation from AD in OIM

    I am trying to reconcile one user from Active directory by using schdeled task.
    I have used search filter as (&(objectClass=user)(extensionAttribute8=123456))
    Getting following error:
    2011-08-16 11:22:07,183 DEBUG [OIMCP.ADCS] com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : transformSingleMultivaluedData:: FINISHED
    2011-08-16 11:22:07,199 ERROR [XELLERATE.APIS] Class/Method: tcReconciliationOperationsBean/ignoreEventData encounter some problems: {1}
    java.lang.NullPointerException
    2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] ====================================================
    2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : processUserChange : java.lang.NullPointerException
    2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] ====================================================
    2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] ================= Start Stack Trace =======================
    2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : processUserChange
    2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] java.lang.NullPointerException
    2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] Description : java.lang.NullPointerException
    2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] Thor.API.Exceptions.tcAPIException: java.lang.NullPointerException
         at com.thortech.xl.ejb.beansimpl.tcReconciliationOperationsBean.ignoreEventData(Unknown Source)
         at com.thortech.xl.ejb.beansimpl.tcReconciliationOperationsBean.ignoreEvent(Unknown Source)
    Edited by: JRS on Aug 16, 2011 10:48 AM

    Looks everything fine to me.
    Reconciliation rule for AD user object is active and the rule as below
    User Logn is equals to ExtensionAttribute8
    OR
    objectGuid equals to objectGuid
    And we have key field is ObjectGuid attaribute
    Pls suggest what are other things to check. I need to resolve this ASAP.
    Thanks again..

  • Data reconciliation from 2 datatargets to  a new data taget

    Hello Gurus,
    I have a requirement of reconciling data from 2 data targets to a new data target, any suggestions are appreciated.
    The Scenario is as follows:
    Cube1 is in key figure model
    Cube 2 is accounting model
    Each account in Cube2 corresponds to one key figure in Cube1.
    Now the data needs to be reconciled, if there is any difference it needs to be written in to another cube, A mapping table is available which contains which key figure corresponds to which account.
    Thanks in advance.
    Ganesh

    Hi Ganesh,
    I think, you can do this with APD: Use the two cubes as sources in an Analysis Process. Place a routine behind cube1 in order to enrich the cube data with the mapping information (I assume you have a DB table containing the mapping information), i.e. add the fields for the accounts.
    Then join cube2 with the result of the routine.
    Would this make sense? I am not sure, maybe it would be better to start with cube2 instead of cube1.
    Kind regards,
    Thomas

  • Reconciliation from iPlanet in OIM 9.1.0

    Hello folks,
    Did anybody succed to bring the users from iPlanet into OIM 9.1.0? If there is somebody who can help me please let me know.
    Have a nice day!
    Razvan

    Hello folks,
    Did anybody succed to bring the users from iPlanet into OIM 9.1.0? If there is somebody who can help me please let me know.
    Have a nice day!
    Razvan

  • How to set up reconciliation for a custom resource?

    Hello,
    I have a custom connector that I need to set up. To provision to this system, I will write the provisioning information into a file. The target system takes that info and somehow knows how to consume it.
    I am wondering how I can set up the reconciliation process from that target system back to OIM. Can OIM do a target reconciliation from a flat file?
    Any format standards to follow?
    Thanks
    Khanh

    Thank you for your input.
    My case is a little bit more complex.
    There is a request and approval process attached to the provision to this target system.
    The approval process has a first level of approval (including 1 to many approval steps) and the user gets the basic access to this target system. The user can then access the target system but is limited to what he/she can do.
    Then the approval goes to a second level of approval (including many approval steps) and if approved the user gets the elevated access to this target system.
    To accomplish this, the previous implementer created 2 resources for the same target. After the first level of approval, he provisioned resource A to the user. After the second level of approval, he provisioned resource B to the user, revoked resource B, and updated resource A.
    This is very confusing because we are dealing with 2 resources for the same target.
    I am looking for way to take advantage of the GTC to provision and reconcile with a system that takes a flat file and can write a flat file. But I also need to make it work with this approval nightmare.
    Do you have any ideas on how to make this better and simpler?
    Thanks
    Khanh

  • Q57: AP Invoice and payment reconciliation

    Dear All,
    Which table(s) can I use to see whether an AP Invoice has actually been paid.
    I can get AP Invoice information from OPCH & PCH1 but hwere do I get the reconciliation from?
    Thanks,
    Robin

    Dear Robin,
    If you only need unpaid or not fully paid invoice, you can query OPCH table by a condition DocTotal-PaidtoDate>0
    VPM2 holds the detail for each invoice payment.
    The reconciliation tables are OITR and ITR1.
    Thanks,
    Gordon

  • Trusted and Target Reconciliation

    Hi All,
    Can we do trusted and target reconciliation from the same resource.I have to get email id and few attributes from ad on user profile and I need to do target recon for existing AD ids for further reporting and attestation. Can any one make recommendation for best possible way.
    Regards
    Nitesh

    For trusted recon: do you only have to fetch some attributes from AD to be populated on the User Profile only one time for e.g. contracter end dates are normally stored in AD and after the users have been reconciled in OIM, the end dates need to be updated on the oim profile from AD for the users. Is this the scenario or do you need to do this on an on-going basis, meaning when those attributes change in AD you need it propagated in OIM?
    If it is a one time thingy all you need to do is write a ST that will be run only once, to populate the required fields on the oim user profile of all users after day 1 recon has been completed.
    if you need this on an ongoing basis, you can configure only an app recon and on recon update recd write an adapter to see what fields have changed on the process form, see if those are the fields that you need to propagate to the user form, if so then simply update the user form with the value that is there for that field on the process form.

  • CO FI Reconciliation : KALC

    Hi,
           I have activated New GL (mandatory Profit Center -PC) from Apr 1. I know that SAP recommends the use of real time reconciliation for CO <> FI instead of executing KALC. However, I did not do it at that point, and today when I try to reconcile my CO with FI using KALC, I get the following error : Balancing Field Profit Center not filled.
    I believe the cause of this error is CO does not pass PC as a field during postings to FI using KALC. However, due to my New GL settings PC is mandatory and hence due to blank PC the journal entries cannot be posted.
    I would activate real time reconciliation from next month, but I am clueless about how to reconcile these existing lines.
    Any help would be appreciated.
    Thanks,
    Debayan

    Hi
    Reco ledger is no longer required if you implement New GL.. As with New GL it happens on real time basis
    Allocations are still a month end activity.. But, unlike before, when you do allocations now in CO, it triggers a posting in FI as well due to which FI and CO are reconciled real time.... The reco variant you can set up to trigger postings in FI whenever a cross Bus area or cross PC allocation happens in CO... System would immediately trigger a posting in FI as well whenever cross allocation happens
    Hope it helps
    Ajay M

  • SAP ER: User Reconciliation Data Transformation

    Hi all,
    I need to transform data during user reconciliation from a SAP HR trusted source.
    I did everything as described at chapter *"4.5 Configuring Transformation of Data During User Reconciliation"*
    (http://download.oracle.com/docs/cd/E11223_01/doc.910/e11210/extnd_func.htm#CIHIHAJE)
    1. Write code that implements the required transformation logic in a Java class.
    2. Create a JAR file to hold the Java class.
    3. Upload jar into OIM database
    4. Edit&Save the Lookup.SAP.HRMS.ReconTransformation (applied for the Last Name field)
    5. Edit&Save Lookup.SAP.HRMS.Configuration
    Finally I also restarted the oim server.
    When the user reconciliation ends, I don't find any field (Last Name in my case) transformed and I cannot find any log message about my tranformation class.
    It seems that OIM (11g) doesn't invoke the transformation class: there is some additional task not described to follow?
    Some one has been able to transform data during SAP ER User Reconciliation? And if yes, how?
    Thanks a lot in advanced,
    Ettore

    Hi Gabriele
    Check the batch size system property. Only after the number of events reaches to that number, your recon events will be processed.
    Please run the scheduled job "Non Scheduled batch recon" to process the recon events immediately.
    Let me know the results.
    Regards
    user12841694

  • How to configure Reconciliation only for a particular resource

    Hi All,
    I have a requirement to configure target reconciliation from AD only for a client. For that i have installed the conector as per documentation (both prov and recon). Now how can i make sure that:-
    1. When i disable/enable the user in OIM, corresponding target resource will not be disabled/enabled.
    2. If i make any changes on resource form corresponding change should not flow back to AD.
    Does removing the prov related jar able to ensure these things or i need to remove the corresponding prov lookup or any changes required in configuration lookup? Please suggest...TIA

    Change the drop down option to "Disable Process..."
    Attach tcComplete event handler there.
    In Task to Object Status Mapping, select Disabled in front of completed.
    Now suppose user is PROVISIONED to a resource say Test. So whenever user gets DISABLED in OIM, it will disabled the target resource Test. But in actual the target resource will not be disabled for that user. He/She can access that resource after getting disabled as you haven't put the logic to disable the target resource (as you have used tcComplete here).
    As you are saying that it should show disabled only if Disabled is coming from Trusted Resource. Then it's fine till now.
    If you don't want to show status as Disabled then in Task to Object Status Mapping, do not select Disabled in front of completed. In this case, it will show status as PROVISIONED only. This is wrong.
    I'll try to understand what you have written here ->
    BUT NOW THE ISSUE. IT DISABLED MY ASSOCIATED RESOURCE (not in target resource actually but on oim side under resources tab). THIS IS ACTUALLY NOT DESIRABLE.
    - > It will do as you are using tcComplete. If you put your java code which disables the target resource in integration tab (in form of process task adapter instead of tcComplete) then it will disables the actual target resource for user.
    REAL REQUIREMENT IS THAT FOR NOW (*till provisioning is not configured*) OIM DISABLE SHOULD NOT INVOKE THE DISABLE OF ASSOCIATED TARGET RESOURCE NOR IT CHANGED THE STATUS UNDER RESOURCES TAB FOR PARTICULAR RESOURCE. THE STATUS UNDER RESOURCES TAB SHOULD ONLY BE CHANGED WHILE RECONCILIATION.
    -> As you have written, "Till provisioning is not configured", So if provisioning is not configured then it will not show disabled under Resource tab for that particular resource.
    You can see disabled only after resource is provisioned to that user.
    If this doesn't answer your question, it would be better if you explain your requirement clearly. It's not clear.

  • One-time Reconciliation in Xellerate

    Hi,
    I read in the Connector Framework Guide that one-time reconciliation can be done with target systems to import all accounts into Xellerate. Then, Xellerate can be used to provision from there onwards.
    Currently, I've got trusted source reconciliation from Active Directory to Xellerate such that users in AD are reconciled and created as Xellerate Users. I also have an access policy that provisions the AD resource to all users but this error occurs:
    17:22:56,796 INFO [STDOUT] Problem creating object: javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000524: UpdErr: DSID-031A0F4B, problem 6005 (ENTRY_EXISTS), data 0 ]; remaining name 'cn=MANUALUSER15'
    Basically, I want to do one-time reconciliation from 2 sources (AD and another source) but from then onwards, Xellerate will be used to manage users and no more reconciliation needs to occur from the sources.
    I'm not sure whether I've correctly configured what I need to. Any help would be really appreciated.

    ok, so what you need to do is the following.....
    1. Set up trusted reconciliation from AD -->> OIM. (make sure you do this before you set up the automated provisioning access policy, or if it is already in place, disable it by assigning the policy to a bogus group that has no members in it.)
    2. Once your "trusted" reconciliation has beed completed. You need to remove the reconcilation mappings from the xellerate user for the AD reconciliation.
    3. Modify your AD reconciliation process so that it is no longer "trusted". now you can link your existing AD users ( with associated group memberships etc...) to your OIM accounts.
    4. re-enable your access policy ( by associating it back with the group you originally had it )

Maybe you are looking for