Request OID group access in OIM

Similar Messages

• OVD/OID group reconciliation in OIM 11g with LDAP sync

  Hi All!
  Is it possible to reconcile OID groups to OIM using LDAP sync? How to achieve such configuration?
  I have OIM with LDAP sync and user and roles provisining to OVD is working.
  best
  mp

  Hi,
  I want to Integrate OIM and OID. Can you guide me in doing so?. The platform I will use is Windows 2003 Server, OIM version is 9.1. Also please tell me which version of OID i should use.
  Note: I am new to OID and OIM.
  Thanks in advance.
  Regards,
  Kazmi

• Request based Revoke process in OIM 11g R2 PS1 ?

  Hi All,
       In our scenario , we are looking for Request based Revoke process in OIM 11gR2 PS1. In OIM 10g,we have Delete User Access flow seperatly where end user can request for revoking access of user from resource. In OIM 11gR2PS1 we have catalog based request process to request access for Roles, Application Instance and Entitlements.Same way it is possible to have request based revoke access in OIM 11gR2 PS1 where we can request for revoking access for Roles,Entitlements, Application instance , send notification and follow approval process for the same.
  Thanks,
  RPB

  Any helpful pointer on this ?

• OIM-request based provisiong-into OID groups

  Hi,
  when i log in as normal user in OIM and request for OID user resource it does not show up OID groups. The requirement is, when user request a resource via self-service, he should be able to select OID groups to which he should be provisioned. How this can be achieved?

  You need to copy the information from the object form to the process form.
  I think you can datasink child forms (you really should be able to). If not you will have to write some code that is invoked during pre pop of the provisioning form that moves the content from the child form on the object form to the child form on the process form.
  You may actually want to do this as a final provisioning step as I know that the group management provisioning code in the OID connector works well in that situation but I am not sure if the usecase of a filled out group child form is managed well.
  Best regards
  /Martin

• Migrating OID groups to OIM

  We have been given the task of migrating our existing identity management systems to OIM (Oracle Identity Manager).
  Part of our existing system uses OID (Oracle Internet Directory). All users have an entry in OID. Some of our systems use OID for authentication.
  We also use OID to hold users' entitlements/privileges that control access to our applications. We use OID groups (represented by entries based on groupOfUniqueNames and orclGroup objects) to do this. For example we might have an application called 'Finance' with three levels of access represented by OID groups e.g. 'finance_enquiry', 'finance_updater', 'finance_superuser'. Those groups would all belong to a parent group called 'finance_application'. To access the application the user needs to be a member of 'finance_application' group or one of its child groups. Access to features of the application are controlled by membership of the 3 child groups. We have an application that maintains groups, group membership, and user entitlements in OID.
  As part of the migration project we want to move maintenance of groups and group membership from our own application into OIM. The above scenario seems quite basic.
  My main question is how would this be done in OIM? Do our current OID groups become OIM Groups? Do they become entries in some lookup table in OIM? Are there any case studies or other documentation that describes this kind of requirement?
  I've looked at the OIM Connector for OID documentation but it doesn't describe typical scenarios. It assumes that you know what you are doing.
  We also want to give users the ability to request entitlements, and to provide an approval process. So we could have a user who approves/rejects entitlement requests to access to the applications they control. But that's a another topic.
  Cheers,
  Eric

  PeachEye wrote:
  We have been given the task of migrating our existing identity management systems to OIM (Oracle Identity Manager).
  As part of the migration project we want to move maintenance of groups and group membership from our own application into OIM. The above > scenario seems quite basic.You're about to find out otherwise.
  >
  My main question is how would this be done in OIM? Do our current OID groups become OIM Groups? Do they become entries in some lookup table > in OIM? Are there any case studies or other documentation that describes this kind of requirement?You'll need a custom connector and lots of OIM tweaks. Your groups will stay in OID, OIM will replace the current application you use to maintain them. That's one way of doing it, no impact to OID schema is the benefit of this way, there are other ways.

• OIM-OID Provisioning - OID Group PrePopulate Approach :

  Hi,
  I am working on OID Connector 9.0.1.14 with OIM 11.1.1.5.
  I have reconciled all the Roles and Groups from OID to OIM and can successfully provision users to the OID along with membership to these specific Roles and Groups.
  I want to prepopulate the OID Group based on certain attribute from the OIM User form. My Approach so far is :
  1) Created an Entity Adapter with a variable : say Org and GroupName.
  2) Set the Logic as if Org = XYZ (+XYZ does exist on OIM+) set GroupName as = "OID Group 1" else set GroupName as = "OID Group 2"
  3) Attached this adapter to the "OID User Group" form on the "Data Object Manager" at the pre-insert stage.
  4) Mapped the Adapter variable as :
  a) Org Maps to "Organization Definition" with the qualifier "Organization Name"
  b) GroupName maps to the "Entity Field" with the qualifier "UD_OID_GRP_GROUP_NAME"
  However nothing seems to happen when I create/modify a user with Orgization Name as XYZ and manually Provision the OID Resource. I can see the form but nothing is populated in the Group Field. Upon completing the request, I get the user provisioned to OID but without any Group information..
  Is my approach right ? Am I missing something ?

  Here is what I have done for a client. My requirement was for a given department, a user must have a list of groups provisioned to them. So here is what i've done:
  1. Create a lookup that has Code Key = Department, Decode = CN of the groups in a delimited format.
  2. Create a provisioning task that will look at the department code from the user form, reference the lookup and find the decode values. Split them based on a delimiter. Then using each value, lookup the code key value from the real lookup that contains the full distinguished name of the group in the OID Group lookup. I even appened the IT Resource Key and ~ so that my search would be Decode or Code = "IT Resource Name~CN=<CN VALUE>%". This would return only the single group code key value. And then i add it to the child table. Repeat this for all the values in the delimited field.
  3. Create a provisioning task that removes the values from the child table based on the delimited value. You'll need to search through the existing child table values.
  Once you have the 2 tasks, you'll want to add a value to the your Lookup.USR_PROCESS_TRIGGERS that is your group determining field. Create your task name in this lookup. On your provisioning workflow, for the Adding of the groups task, make this unconditional, and have a preceding task of the Create User. Give it the name from your Lookup.USR_PROCESS_TRIGGERS and append " - Add Groups" to the task name. Create another task called the same, but append " - Delete Groups" to the task name. On the Add Groups task, make the preceding task the Delete groups. When you map your inputs to the adapters, on the delete, select the old value check box from the User Form so that you get the old value. Now, when the value changes on the user form, it will first remove the old groups, then add the new ones. All this will be done using the child table APIs, so that the existing Insert and Delete task triggers for your child table will run.
  -Kevin

• OIM-OID! provisioning users to OID groups-QUICK HELP NEEDED

  hi,
  I've installed OIM connected to OID.
  I've been assign some tasks:
  1) Creating access policy such that when a user is created in OIM, he is provisioned to two groups in OID.... ie. in cn=users and cn=employees (where cn=employess is the group i create under cn=Groups,dc=ad,dc=company,dc=com)
  2)Creating an access policy such that when a user is created in OIM, he is provisioned to two additional groups in OID, say I've created two custom groups in OIM and attached membership rules to them. Now when i create a user satisfying the two membership rule,he is assigned to those two OIM groups and provisioned to cn=users,dc=ad,dc=company,dc=com and cn=group1,cn=Groups,dc=ad,dc=company,dc=com and cn=group2,dc=ad,dc=company,dc=com.
  Also i want to populate those OID groups into a child table and create their lookups in Process form
  Please help me materialise and understand these concepts.
  The OID Lookup Recon task for group is running fine, lookup.oid.group is populated with values.
  how those groups can be populated in process form child table(OID user group table).
  Edited by: Chhavi Saluja on Feb 12, 2010 12:51 AM

  As mentioned in my other post you can put these groups in access policy form and all the users assigned by this policy will get these groups. Any issue revert back.

• Users not provisioned from OIM to OID groups

  I've created an Access policy such that when i create a user with role as consultant he is automatically provisioned to OID resource and OID group( cn=group1,cn=groups,dc=ad,dc=company,dc=com ).
  The user is provisioned to OID users(cn=users) but not to cn=group1,cn=group....
  What could be wrong?
  i have run the OID group lookup tasks to generate freshly added group lookups. Theses lookups are populated in process form when i create an access policy.
  For ex the lookup generated is cn=group1,cn=group,dc=ad,dc=company,dc=com and the decode value is group1
  The user profile and process form are not linked. That means changes in process form are not reflected to user profile. Can this be possible reason for the hassle defined above
  please help me resolve this issue.
  Edited by: Chhavi Saluja on Feb 15, 2010 1:30 AM

  Hi,
  Today I have also done the same thing of auto provisioning of OID through access policy. Only difference is that for selecting "Container DN" and "User group" we have created two user defined fields(lookup)in the user form which will refer to the lookups "Lookup.OID.Organization" and "Lookup.OID.Group" for inputs.These lookups are already reconciled once from OID.
  As far as "container DN" iam successful but while selecting "user group" iam able to select and when i click on "create user" user is getting provisioned to OID into Container DN i specified.But user is not going into that particular group i specified.Iam assuming the reason is that as User Group is a mutivalued attribute and if we observe the process form of group selection we will see the add button. But on user form we dont have the option of child form to ADD/REMOVE the groups.
  Someone pls suggest how to proceed further on this.How do i push the user into particular group/groups from the create user form itself?

• Self service - request for groups - OIM

  I would like to allow end-user to request groups from end-user interface?
  I would appreciate your guidance...
  Out of the box only resources are available for request.

  I can suggest you one approach to meet this req.
  1. Create a scheduler which will fetch all groups(findGroups()) in OIM and write the result to Lookup, say Lookup.OIM.Groups
  2. Create a Process Form with a a field as Groups and make the field type as lookup type and attach the lookup Lookup.OIM.Groups to this field.
  3. Create an adapter which would use addMemberUser() in groupOperations and adds the user to specific group.
  4. Create a RO, say "Provision Groups" then create a Process Def and attach the above created adapter to process task, say "Add User to OIM group".
  Have an approval process in place which allows users to select a group and request for approval. Once approval completes the task "Add User to OIM group" gets called which adds the user to specific group.
  It would be better if you show Groups field in child form which allows user to add more groups.
  This is one approach which i can think of as of now.
  lets see what experts say..

• Access OID Groups in Portal

  I've setup item access privileges on a page. I have created a new OID group and attempted to give this group access to this item. I can choose the group, but when it's added, it does not show the group name, rather a number, i.e., (D8F909F2393035B7E0340003BA2183E9).
  What can I do to make the group name show up?

  Hi Pramod,
  To access Peoplesoft applications from Portal you have two options :
  1) By using Appintegrator iView : As all the applications in peoplesoft has their own urls like for attendance regularization, leave applicaion etc., you create appintegrator iview which points to ur peoplesoft application and by doing user-mapping, users can access these applications. Refer link for [How to use appintegrator iview|http://help.sap.com/bp_epv160/documentation/How-to_Guides/25_HowToUseAppIntegrator_en.pdf]
  2) By developing application in VC: You can easily create nice looking applications in VC & host them on portal. VC can pull data from peoplesoft in 3 ways :
        - By using WebService : Expose peoplesoft applications as web services and u can easily create model in VC. (Recommended)
        - Directly accessing database using JDBC drivers : Though this approach is not recommended, u can directly connect to peoplesoft database tables and fetch the desired data.
        - iWay JDBC drivers : These are 3rd party drivers available to connect to peoplesoft database.
  I hope this will help u.
  Thanks & Regards,
  Amol Ghodekar
  (Reward points for helpful answers)

• OIM-OID Connector: OID Group Recon Task and organizations

  Hi,
  I'm evaluating OIM and its OID Connector.
  We have groups in our existing OID. We thought that we could use the OID Connector OID Group Recon Task to import those groups into OIM and make them Groups in OIM.
  However, when we run the task, it appears to import our groups from OID as organizations, not as groups. It's not clear to me from the OID Connector documentation what exactly the OID Group Recon task is supposed to do. That's why we assumed it was an OOTB method for reconciling OID groups into OIM groups.
  What are we doing wrong? Why do we end up with our OID Groups becoming OIM Organizations after running the task?
  We are using version 9.4.11 of the OID Connector.
  Also, a side issue: how can we delete unwanted organizations from OIM? There's a delete option but it just seems to mark the organizations as deleted but they are still there.
  Thanks
  Eric
  Edited by: PeachEye on 17/03/2010 11:49

  Hi,
  I am also facing the similar issue. I want to reconcile OID groups into OIM User Groups menu item. Please suggest how to proceed.
  I ran the schedule task- OID Group Recon Task, but it throws error-
  ERROR,12 Mar 2010 09:16:44,265,[XL_INTG.OID],OID:tcTskOIDGrouporRoleReconTask:pe
  rformReconciliation():com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:
  NamingException :Unable to search LDAP. Check the following values and try agai
  n: Base Search detail: cn=abc,ou=Q System1,dc=xoserve-apps,dc=com, filter expres
  sion is (&(objectClass=groupOfUniqueNames)(modifytimestamp>=19000101010001Z)), A
  ttributes : DN, modifytimestamp, Organization Name, orclguid, cn,]
  ERROR,12 Mar 2010 09:16:44,281,[XL_INTG.OID],===================================
  I want to bring OID groups into OIM so that I can manager those OID groups from OIM. Is there any other way to so this? I have to make changes in the OID object class or in the OID field mappings? I have not done any changes in Lookup OID configuration or LookUp Field map parameters.
  Please help.

• Create OID Group through OIM

  HI ,
  i have a requirement which is when i create a Group in OIM , then the OID will create a corresonding Group as well , i run out of my idea of how to do it , can anyone give some guides on this
  thx in advance
  Edited by: crazyJew on 1/07/2010 22:44

  Yes you need to provide an organization key to the group provisioning api - tcOrganizationOperationsIntf -> provisionObject.
  One you provision the resource OID Group you can get the process instance key and set the data in process form using tcFormInstanceOperationsIntf ->setProcessFormData. setProcessFormData takes the data which needs to be set for the OID group.
  Hope the helps,
  Sagar

• It's posible the OID role Provisioning With OIM?

  Hi experts,
  I'm installing and configuring the OIM connector for OID. However I've found on the installation guide the next 'warnings':
  - Reconciliation of roles is supported only for ODSEE and Novell eDirecotory target systems.
  - Provisioning of roles is supported only for ODSEE and Novell eDirecotory target systems.
  then my question is: how can I provision OID roles to any user using OIM??? If I can't do role provisioning to OID, I cant see so much utility for this connector.
  My request its to provisioning roles that I've created on OID, using OIM interface.
  Has anyone done this?
  Thanks for you time.
  regards.
  Edited by: Daniel Cermeño on Sep 10, 2012 4:39 PM

  Hi Leoncio and Gyanprakash,
  Tanks for your response, thats make me feel more quiet.
  I have still one question about this. In the installation and configuration guide says:
  - If you are using the default connector configuration, for every group in the target system, create a corresponding organizational unit (with the same group name) in Oracle Identity Manager. This ensures that all groups from the target system are reconciled into their newly created organizational units, respectively.
  - You can also configure the connector to reconcile the groups under one organization.
  Then, when I run the reconciliation of OID groups in OIM. I obtain one organization with one resource representing my OID group. Or, if I prefer, I obtaion one organization with many resource that represents all my OID groups. However, I dont find how to provision this resources to my OIM users, cause I need that one user be part of one o more groups. If I put the user in the organization that represent my OID group, how I can provision more groups?
  Furthermore, the reconciliations of OID groups creates resources/organizations, but in my understending this no create OIM roles isn't?
  I'm sorry for my ignorance. This maybe is a trivial question, but I hope you can clarify this concepts to me.
  Thanks for your time.
  regards.
  Edited by: Daniel Cermeño on Sep 11, 2012 8:08 AM

• Error while provisioning to OID group

  Hi,
  we created 2 groups in OID. we ran OID group lookup Reconciliation task and now we are able to see the created Groups in Lookup.OID.Group.
  we added the Groups in access policy. but when we are Provisioning Users into OID the Add User to Group task is getting rejected with *"Group Doesn't Exist Error message"*..pleasse help
  Thank you

  Can you check whether Groups still exists in OID ?
  Just Enable the logs for OID connector only and paste the logs here.

• How to include group access level in a ws call

  I want to include a Group Access Label in a Permission for a Course using an iTunes web service call.
  I don't see how to do this in the docs.
  (The example in iTunesUAdministratorsGuide.pdf at page 111 doesn't include the Group Access Label.
  And it's not in the schema for the ws xml document at http://deimos.apple.com/iTunesURequest-1.0.xsd)
  Is this an obvious omission or am I missing something? Anyone know how to do this?
  Background:
  We're creating most Courses programmatically.
  Obviously, we'd strongly prefer not to require an administrator to go into every Course and manually add a common Group Access Label to the Permission. (This manual piece is essentially what's now missing from the ws call or at least from my understanding of it.)
  Either way -- manually by an administrator or programmatically -- our instructors would then be able to set Permissions themselves on any Group they create -- doing this themselves and without the help of an administrator.

  To resume with a little progress made:
  I have a Section
  * with Access Level == Edit for Credential == Instructor@...${IDENTIFIER} with no Group Access Label, and also
  * with Access Level == Download for Credential == Student@...${IDENTIFIER} with Group Access Label == Student.
  I'm doing ws calls to add a Course including an identifier. This is successful, and I can then go into the iTunes client as Instructor@...${IDENTIFIER} (substitution made) and manually add Groups and change Access to each individually. (I'm adding Groups "Download", "Shared Uploads", and "Drop Box", changing the Access Level accordingly for Group Access Label "Student".
  But naturally I want to do the manual part programmatically, to save n instructors from having to learn how to do this same thing and then to do it.
  So I'm trying to change my ws call to add the Groups, including Permissions. Schema http://deimos.apple.com/rsrc/xsd/iTunesURequest-1.1.xsd doesn't include Group Access Label for Permission. What does this mean?
  I've tried the actual Credential == Student@...${IDENTIFIER} (with IDENTIFIER substitution made before the call) and also Credential == Student (to see if I'm supposed to match the Group Access Label, instead).
  For either of these trials, the ws call successfully adds the Groups and a ShowTree includes the Permissions for the Groups. But in the iTunes client user interface, it's as if I gave no Permissions in adding the Groups.
  Am I approaching this wrong or is there a bug here?
  (I haven't tried yet a separate call to add the Group Permissions, not wanting to suffer the processing wait of getting handles for the three Groups.)
  Anyone else doing this? (successfully or not ) Thanks.