Reconciliation from HR
Dear People,
I will tell you the scenario that is the the typical in an IdM solution. We are reconciliating from HR (Meta4, PeopleSoft, etc). So, I have a doubt. We need to charge the manager. What happen when the manager is reconciled at the same time that the new user? For example:
User1 is employee of Manager1. But in the recon events, it first loads User1 and then Manager1. As Manager1 isn't an user yet in OIM, the manager field will fail. So, if after then we throw a new full recon it will work because Manager1 is created now. Is there a way to make it in one step of the Trusted Source Recon event? My idea is to left a reconciliation, for example, 2 times per day, and that OIM can resolve this situations without getting inside the recon jar code.
Thanks!
I would probably create a UDF in User Object and store the manager ID in that UDF during recon. Then have a scheduled task that will read all users that have the UDF field populated during recon, set the manager ID field with value from UDF, reset the UDF and save the form. This will eliminate the issue of having Manager present in OIM before the user in reconciled.
- Aman
Similar Messages
-
User not created in OIM 11gr2 - trusted reconciliation from OID
Hello,
in my tests I'm trying to do a trusted reconciliation from OID to OIM.
I checked the errors below in the log file and I checked the column on the database. The column is there but I can't understand why this error appear.
I did a select on this table and this column is empty (select RA_USERLOGIN7C7B96D4 from RA_OIDTRUSTEDUSERBCBD344A).
INFO: Generic Information: select USR_KEY from usr where USR_MIDDLE_NAME is null and USR_UDF_ORCLGUID=? and USR_FIRST_NAME=? and USR_EMAIL=? and USR_LAST_NAME=? and USR_STATUS=? and USR.USR_STATUS != 'Deleted' AND ((UPPER(USR.USR_LOGIN)=UPPER(RA_OIDTRUSTEDUSERBCBD344A.RA_USERLOGIN7C7B96D4)))
INFO: Generic Information: Params = [CF7C29EE75F5A78FE040A8C084000DE8, orcladmin, orcladmin, orcladmin, Enabled]
SEVERE: Generic Information: {0}
oracle.iam.reconciliation.exception.DBAccessException: Failed SQL:: select USR_KEY from usr where USR_MIDDLE_NAME is null and USR_UDF_ORCLGUID=? and USR_FIRST_NAME=? and USR_EMAIL=? and USR_LAST_NAME=? and USR_STATUS=? and USR.USR_STATUS != 'Deleted' AND ((UPPER(USR.USR_LOGIN)=UPPER(RA_OIDTRUSTEDUSERBCBD344A.RA_USERLOGIN7C7B96D4))) =>PARAMS:: [CF7C29EE75F5A78FE040A8C084000DE8, orcladmin, orcladmin, orcladmin, Enabled]
at oracle.iam.reconciliation.utils.DBAccessTemplate.executeQuery(DBAccessTemplate.java:71)
at oracle.iam.reconciliation.impl.BaseEntityTypeHandler.executeSql(BaseEntityTypeHandler.java:508)
at oracle.iam.reconciliation.impl.UserHandler.getMatchingKeys(UserHandler.java:601)
at oracle.iam.reconciliation.impl.ReconOperationsServiceImpl.ignoreEvent(ReconOperationsServiceImpl.java:556)
at oracle.iam.reconciliation.impl.ReconOperationsServiceImpl.ignoreEvent(ReconOperationsServiceImpl.java:535)
at sun.reflect.GeneratedMethodAccessor3188.invoke(Unknown Source)
at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
Caused by: java.sql.SQLSyntaxErrorException: ORA-00904: "RA_OIDTRUSTEDUSERBCBD344A"."RA_USERLOGIN7C7B96D4": invalid identifier
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:462)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:405)
at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:931)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:481)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:205)
After this error the log shows:
SEVERE: oracle.iam.connectors.icfcommon.recon.SearchReconTask : handle : Recon event skipped
oracle.iam.connectors.icfcommon.exceptions.OIMException: Thor.API.Exceptions.tcAPIException: Child tables only supported at account-level
at oracle.iam.connectors.icfcommon.service.oim11.OIM11Reconciliation.processEvent(OIM11Reconciliation.java:101)
Please help me on this and tell me if I am missing something here.
ThanksI've found something that worked for me. When executing the trusted recon schedule task, the "Configuration Lookup" field in the "OID Server" IT Resource has to have the value "Lookup.OID.Configuration.Trusted". On the other hand, when executing the user sync recon schedule task, this field must have the value "Lookup.OID.Configuration.Trusted".
The lookups' names can be different if you've manually renamed them.
--jtellier -
Reconciliation from LDIF files
Hello there,
Can we perform reconciliation from ldif files? Is there anyway we can do that?
I am trying to extract user profiles from Tivoli directory to OIM database. The output from tds is in the form of ldif.
Thanks in advance.Absolutely, but you are going to need to write it yourself. You just need a scheduled task that reads in the ldif entries, converts them to hashmaps and call the appropriate tcReconciliationOperationsIntf methods to submit the events.
Alternatively, convert the ldif to a csv (there are lots of scripts out there to do this and if you are handy with perl is it not difficult) and use the GTC flat file recon. -
Custom code for Target Source Reconciliation from a flat file
Hi Experts,
I need help in writing a custom code for Target Source Reconciliation from a flat file to OIM. The flat file will contain account details for different application instances. I am working on 11gr2.
Thanks,
SubinAll right, all right, not so quickly.
I am at the stage of trying to put one dimension
array. But I stuck in one place, this is the program:
import java.io.*;
public class FromFile {
public static void main(String[] args) throws IOException {
File inputFile = new File("mac.txt");
FileReader in = new FileReader(inputFile);
int c;
for(int i = 0; i < 10; i++) {
c = in.read();
System.out.println(c);
and I try to read: 1 2 3 4 from text file
This is the result so far...
49
32
50
32
51
32
52
-1
-1
-1
well,
I think I know what's wrong. I must change ASCII numbers into
ints. But I dont' know how to do it. Some nice book, or
tutorial on streams would come in handy. Could you correct
it?. -
Not able to run a reconciliation from IDM on a the securID/ACE server UNIX
I have configured a securID/ACE adapter in IDM 7.1 so that it can provision updates of user accounts. RSA 6.1.2 server is running on Linux RHEL 2.6.9. I am able to connect to RSA form IDM, but when I run a reconciliation I get the following error,
Error iterating accounts for resource RES-User-RSA-Projects:
com.waveset.util.WavesetException: Trouble constructing User 'null'
Below is the stack trace that I extracted from IDM (debug): The stack below tells me that IDM is not able to establish a connection to the RSA server. I have made sure that the login account that I am using in the RSA adapter parameters belongs to the same group that owns /opt/ace/utils/tcl/bin/tcl-sd.
Is there anything else I need to do? Has anybody out there faced a similar issue and found a resolution?
SecurIdUnixResourceAdapter#getFeatures() Entryno args
SecurIdUnixResourceAdapter#getFeatures() Exit void
SecurIdUnixResourceAdapter#getFeatures() Entry no args
SecurIdUnixResourceAdapter#getFeatures() Exit void
SecurIdUnixResourceAdapter#getFeatures() Entry no args
SecurIdUnixResourceAdapter#getFeatures() Exit void
SecurIdUnixResourceAdapter#getLoginScript() Entry no args
SecurIdUnixResourceAdapter#getTclshPath() Entry no args
SecurIdUnixResourceAdapter#getTclshPath() Exit returned= /opt/ace/utils/tcl/bin/tcl-sd
SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 24
SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 2
SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 6
SecurIdUnixResourceAdapter#getUserExtensionMapNames() Entry no args
SecurIdUnixResourceAdapter#getUserExtensionMapNames() Exit void
SecurIdUnixResourceAdapter#getLoginScript() Exit void
SecurIdUnixResourceAdapter#getAccountIteratorscript() Entry no args
SecurIdUnixResourceAdapter#procSetup() Entry no args
SecurIdUnixResourceAdapter#procSetup() Exit void
SecurIdUnixResourceAdapter#procTearDown() Entry no args
SecurIdUnixResourceAdapter#procTearDown() Exit void
SecurIdUnixResourceAdapter#getAccountIteratorscript() Exit void
SecurIdUnixResourceAdapter#getAccountIteratorResult() Entry no args
SecurIdUnixResourceAdapter#getAccountIteratorResult() Exit void
SecurIdUnixResourceAdapter#constructUser() Entry no args
SecurIdUnixResourceAdapter#constructUser() Info Database connection is not established!
SecurIdUnixResourceAdapter#getFeatures() Entry no args
SecurIdUnixResourceAdapter#getFeatures() Exit voidAnybody out there who has configured SUN IDM to provision into RSA SecureID Ace/Server UNIX? Any help on this is greatly appreciated!
-
Getting error during reconciliation from AD in OIM
I am trying to reconcile one user from Active directory by using schdeled task.
I have used search filter as (&(objectClass=user)(extensionAttribute8=123456))
Getting following error:
2011-08-16 11:22:07,183 DEBUG [OIMCP.ADCS] com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : transformSingleMultivaluedData:: FINISHED
2011-08-16 11:22:07,199 ERROR [XELLERATE.APIS] Class/Method: tcReconciliationOperationsBean/ignoreEventData encounter some problems: {1}
java.lang.NullPointerException
2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] ====================================================
2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : processUserChange : java.lang.NullPointerException
2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] ====================================================
2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] ================= Start Stack Trace =======================
2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] com.thortech.xl.schedule.tasks.ActiveDirectoryReconTask : processUserChange
2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] java.lang.NullPointerException
2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] Description : java.lang.NullPointerException
2011-08-16 11:22:07,199 ERROR [OIMCP.ADCS] Thor.API.Exceptions.tcAPIException: java.lang.NullPointerException
at com.thortech.xl.ejb.beansimpl.tcReconciliationOperationsBean.ignoreEventData(Unknown Source)
at com.thortech.xl.ejb.beansimpl.tcReconciliationOperationsBean.ignoreEvent(Unknown Source)
Edited by: JRS on Aug 16, 2011 10:48 AMLooks everything fine to me.
Reconciliation rule for AD user object is active and the rule as below
User Logn is equals to ExtensionAttribute8
OR
objectGuid equals to objectGuid
And we have key field is ObjectGuid attaribute
Pls suggest what are other things to check. I need to resolve this ASAP.
Thanks again.. -
Data reconciliation from 2 datatargets to a new data taget
Hello Gurus,
I have a requirement of reconciling data from 2 data targets to a new data target, any suggestions are appreciated.
The Scenario is as follows:
Cube1 is in key figure model
Cube 2 is accounting model
Each account in Cube2 corresponds to one key figure in Cube1.
Now the data needs to be reconciled, if there is any difference it needs to be written in to another cube, A mapping table is available which contains which key figure corresponds to which account.
Thanks in advance.
GaneshHi Ganesh,
I think, you can do this with APD: Use the two cubes as sources in an Analysis Process. Place a routine behind cube1 in order to enrich the cube data with the mapping information (I assume you have a DB table containing the mapping information), i.e. add the fields for the accounts.
Then join cube2 with the result of the routine.
Would this make sense? I am not sure, maybe it would be better to start with cube2 instead of cube1.
Kind regards,
Thomas -
Reconciliation from iPlanet in OIM 9.1.0
Hello folks,
Did anybody succed to bring the users from iPlanet into OIM 9.1.0? If there is somebody who can help me please let me know.
Have a nice day!
RazvanHello folks,
Did anybody succed to bring the users from iPlanet into OIM 9.1.0? If there is somebody who can help me please let me know.
Have a nice day!
Razvan -
How to set up reconciliation for a custom resource?
Hello,
I have a custom connector that I need to set up. To provision to this system, I will write the provisioning information into a file. The target system takes that info and somehow knows how to consume it.
I am wondering how I can set up the reconciliation process from that target system back to OIM. Can OIM do a target reconciliation from a flat file?
Any format standards to follow?
Thanks
KhanhThank you for your input.
My case is a little bit more complex.
There is a request and approval process attached to the provision to this target system.
The approval process has a first level of approval (including 1 to many approval steps) and the user gets the basic access to this target system. The user can then access the target system but is limited to what he/she can do.
Then the approval goes to a second level of approval (including many approval steps) and if approved the user gets the elevated access to this target system.
To accomplish this, the previous implementer created 2 resources for the same target. After the first level of approval, he provisioned resource A to the user. After the second level of approval, he provisioned resource B to the user, revoked resource B, and updated resource A.
This is very confusing because we are dealing with 2 resources for the same target.
I am looking for way to take advantage of the GTC to provision and reconcile with a system that takes a flat file and can write a flat file. But I also need to make it work with this approval nightmare.
Do you have any ideas on how to make this better and simpler?
Thanks
Khanh -
Q57: AP Invoice and payment reconciliation
Dear All,
Which table(s) can I use to see whether an AP Invoice has actually been paid.
I can get AP Invoice information from OPCH & PCH1 but hwere do I get the reconciliation from?
Thanks,
RobinDear Robin,
If you only need unpaid or not fully paid invoice, you can query OPCH table by a condition DocTotal-PaidtoDate>0
VPM2 holds the detail for each invoice payment.
The reconciliation tables are OITR and ITR1.
Thanks,
Gordon -
Trusted and Target Reconciliation
Hi All,
Can we do trusted and target reconciliation from the same resource.I have to get email id and few attributes from ad on user profile and I need to do target recon for existing AD ids for further reporting and attestation. Can any one make recommendation for best possible way.
Regards
NiteshFor trusted recon: do you only have to fetch some attributes from AD to be populated on the User Profile only one time for e.g. contracter end dates are normally stored in AD and after the users have been reconciled in OIM, the end dates need to be updated on the oim profile from AD for the users. Is this the scenario or do you need to do this on an on-going basis, meaning when those attributes change in AD you need it propagated in OIM?
If it is a one time thingy all you need to do is write a ST that will be run only once, to populate the required fields on the oim user profile of all users after day 1 recon has been completed.
if you need this on an ongoing basis, you can configure only an app recon and on recon update recd write an adapter to see what fields have changed on the process form, see if those are the fields that you need to propagate to the user form, if so then simply update the user form with the value that is there for that field on the process form. -
CO FI Reconciliation : KALC
Hi,
I have activated New GL (mandatory Profit Center -PC) from Apr 1. I know that SAP recommends the use of real time reconciliation for CO <> FI instead of executing KALC. However, I did not do it at that point, and today when I try to reconcile my CO with FI using KALC, I get the following error : Balancing Field Profit Center not filled.
I believe the cause of this error is CO does not pass PC as a field during postings to FI using KALC. However, due to my New GL settings PC is mandatory and hence due to blank PC the journal entries cannot be posted.
I would activate real time reconciliation from next month, but I am clueless about how to reconcile these existing lines.
Any help would be appreciated.
Thanks,
DebayanHi
Reco ledger is no longer required if you implement New GL.. As with New GL it happens on real time basis
Allocations are still a month end activity.. But, unlike before, when you do allocations now in CO, it triggers a posting in FI as well due to which FI and CO are reconciled real time.... The reco variant you can set up to trigger postings in FI whenever a cross Bus area or cross PC allocation happens in CO... System would immediately trigger a posting in FI as well whenever cross allocation happens
Hope it helps
Ajay M -
SAP ER: User Reconciliation Data Transformation
Hi all,
I need to transform data during user reconciliation from a SAP HR trusted source.
I did everything as described at chapter *"4.5 Configuring Transformation of Data During User Reconciliation"*
(http://download.oracle.com/docs/cd/E11223_01/doc.910/e11210/extnd_func.htm#CIHIHAJE)
1. Write code that implements the required transformation logic in a Java class.
2. Create a JAR file to hold the Java class.
3. Upload jar into OIM database
4. Edit&Save the Lookup.SAP.HRMS.ReconTransformation (applied for the Last Name field)
5. Edit&Save Lookup.SAP.HRMS.Configuration
Finally I also restarted the oim server.
When the user reconciliation ends, I don't find any field (Last Name in my case) transformed and I cannot find any log message about my tranformation class.
It seems that OIM (11g) doesn't invoke the transformation class: there is some additional task not described to follow?
Some one has been able to transform data during SAP ER User Reconciliation? And if yes, how?
Thanks a lot in advanced,
EttoreHi Gabriele
Check the batch size system property. Only after the number of events reaches to that number, your recon events will be processed.
Please run the scheduled job "Non Scheduled batch recon" to process the recon events immediately.
Let me know the results.
Regards
user12841694 -
How to configure Reconciliation only for a particular resource
Hi All,
I have a requirement to configure target reconciliation from AD only for a client. For that i have installed the conector as per documentation (both prov and recon). Now how can i make sure that:-
1. When i disable/enable the user in OIM, corresponding target resource will not be disabled/enabled.
2. If i make any changes on resource form corresponding change should not flow back to AD.
Does removing the prov related jar able to ensure these things or i need to remove the corresponding prov lookup or any changes required in configuration lookup? Please suggest...TIAChange the drop down option to "Disable Process..."
Attach tcComplete event handler there.
In Task to Object Status Mapping, select Disabled in front of completed.
Now suppose user is PROVISIONED to a resource say Test. So whenever user gets DISABLED in OIM, it will disabled the target resource Test. But in actual the target resource will not be disabled for that user. He/She can access that resource after getting disabled as you haven't put the logic to disable the target resource (as you have used tcComplete here).
As you are saying that it should show disabled only if Disabled is coming from Trusted Resource. Then it's fine till now.
If you don't want to show status as Disabled then in Task to Object Status Mapping, do not select Disabled in front of completed. In this case, it will show status as PROVISIONED only. This is wrong.
I'll try to understand what you have written here ->
BUT NOW THE ISSUE. IT DISABLED MY ASSOCIATED RESOURCE (not in target resource actually but on oim side under resources tab). THIS IS ACTUALLY NOT DESIRABLE.
- > It will do as you are using tcComplete. If you put your java code which disables the target resource in integration tab (in form of process task adapter instead of tcComplete) then it will disables the actual target resource for user.
REAL REQUIREMENT IS THAT FOR NOW (*till provisioning is not configured*) OIM DISABLE SHOULD NOT INVOKE THE DISABLE OF ASSOCIATED TARGET RESOURCE NOR IT CHANGED THE STATUS UNDER RESOURCES TAB FOR PARTICULAR RESOURCE. THE STATUS UNDER RESOURCES TAB SHOULD ONLY BE CHANGED WHILE RECONCILIATION.
-> As you have written, "Till provisioning is not configured", So if provisioning is not configured then it will not show disabled under Resource tab for that particular resource.
You can see disabled only after resource is provisioned to that user.
If this doesn't answer your question, it would be better if you explain your requirement clearly. It's not clear. -
One-time Reconciliation in Xellerate
Hi,
I read in the Connector Framework Guide that one-time reconciliation can be done with target systems to import all accounts into Xellerate. Then, Xellerate can be used to provision from there onwards.
Currently, I've got trusted source reconciliation from Active Directory to Xellerate such that users in AD are reconciled and created as Xellerate Users. I also have an access policy that provisions the AD resource to all users but this error occurs:
17:22:56,796 INFO [STDOUT] Problem creating object: javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - 00000524: UpdErr: DSID-031A0F4B, problem 6005 (ENTRY_EXISTS), data 0 ]; remaining name 'cn=MANUALUSER15'
Basically, I want to do one-time reconciliation from 2 sources (AD and another source) but from then onwards, Xellerate will be used to manage users and no more reconciliation needs to occur from the sources.
I'm not sure whether I've correctly configured what I need to. Any help would be really appreciated.ok, so what you need to do is the following.....
1. Set up trusted reconciliation from AD -->> OIM. (make sure you do this before you set up the automated provisioning access policy, or if it is already in place, disable it by assigning the policy to a bogus group that has no members in it.)
2. Once your "trusted" reconciliation has beed completed. You need to remove the reconcilation mappings from the xellerate user for the AD reconciliation.
3. Modify your AD reconciliation process so that it is no longer "trusted". now you can link your existing AD users ( with associated group memberships etc...) to your OIM accounts.
4. re-enable your access policy ( by associating it back with the group you originally had it )
Maybe you are looking for
-
ITunes 7.5 won't let me play purchased music/TV shows
I am running Leopard 10.5.1. When I try to play purchased music or television shows the window for Authorizing in to iTunes pops up. So I put my password in, but another window pops up that says "There was an error storing your authorization informat
-
How do i transfer file from my external hard drive to my new mac
How do I transfer my files from my external hard drive (all files coming from a PC) to my new macbook pro?
-
How to download older updates in Software Update Service?
Hello, In our company, we have a mixture of Mac OS X 10.6.2, 10.6.3 and 10.6.4 servers. Due to proxy-restrictions, only one of these servers is able to download updates directly from Apple (this one has 10.6.4 installed). We have set up the Software
-
I understand that when using Numbers/Pages - an up-arrow on a document means that the file is still to be uploaded to the cloud, what does a down arrow mean? It seems the document can't be accessed until the arrow clears.
-
Nokia lumia 520 will not start
hi all not sure if anyone can help i just brought a brand new lumia 520 i have come hope come home turned it on and its just saying Nokia can anyone help please