Restrict the reources on OIM resource profile

Hi all,
Is it possible to restrict the resources that show up on the resource profile.
I have a requirement where AD administrators should o nly manage their resource.
Thanks,
M

Go to Resource Object and Remove the Allow All check box , it wont show up in resource file for any user
Also , check the Provision by Object Admin Only
Thanks
Regards
Edited by: Surendra Singh Khatana on Apr 7, 2010 11:39 PM

Similar Messages

  • How to enable only one resource profile outof 3 while disabling user in OIM

    Hello,
    I have 3 resource profile for AD user with 3 diffrent IT resources.
    When i try to disable the user in OIM, then it disables all the resource profiles attached for that user.
    I would like NOT to disable one of AD User Resource profile out of 3 .
    How can I do that?
    Thanks

    This is the same post as one made about a week ago.
    I would suggest the following:
    1. Create an adapter that has an input of the domain, or some other identifying attribute. In this adapter, use logic to return a response of either DISABLE or DO_NOTHING.
    2. Create a new Process Task called something like "Disable Resource Determiner". Attach your adapter you just made, and on your response codes, for DISABLE, trigger the disable task, and on DO_NOTHING, then do nothing... Set this adapter to be triggered on disable.
    3. On your previous disable task, remove the disable trigger.
    Now when your disable is triggered, you have logic to determine which target resource is being used, and then whether or not to disable the resource or do nothing.
    -Kevin

  • Does the Resource Profile LOGICAL_READS_PER_CALL count TEMP

    Does anyone know if the profile resource LOCIAL_READS_PER_CALL counts reads from the TEMP/SORT segment.
    The reason I'm asking is because we had an adhoc report user write a query that caused a huge cartiesian product that consumed all of the temp tablespace, 8.5G. The knee-jerk reaction would be to add more space to the TEMP tablespace, but the poorly written query was the problem. The user running the query does have a profile that restricts the LOGICAL_READS_PER_CALL to 3500000. The query did fail since it could not allocate any space from the TEMP tablespace, but not before it caused two other sessions to fail for the same reason. The query had several sort/merge operations so I was hoping that when it was reading back from a temp segment it would be added to the counter and would then terminate the session.
    If this counter is not used for TEMP reads does anyone know of another way to limit the amount of temp space for a particular user?

    Logical read concerns the block read into the buffer no ? So I don't see relation with the tablespace TEMP.

  • OIM manipulating provisioning - description on resource profile

    Kamaraden!
    I have an OIM installation with AD and Exchange connectors. When users are provisioned, going back to the resource profile, you can see the resource and several data, for example the Description field. For AD User, descriptions shows the windows logon name (what I think it is correct), and for Exchange, it shows a number (probably a key of some table). Trying to discover from where this description field is taken, I realized that it comes from the ORC table, ORC_TOS_INSTANCE_KEY (if I change it, it changes in the description of the resource profile too).
    I have many questions about this. First of all, who puts this value in this field of the ORC table. I followed the provisioning tasks for AD and Exghange (Create User and Create Mailbox), and got inside the code (I decompiled it with cavaj), but the logic of the adapters attached to that process task and the code in the java classes, only creates efectively the user or the mailbox, and returns.. so, when the resource profile is being modified?
    Other question related to that, is where are the conventions of the process tasks names for provisioning? For example, FIELD Updated reacts over the event of modification of FIELD. Create User sounds logic for provisioning when a resource is granted on an application, but Create Mailbox? How is this task attached with the provisioning submit of a resource?
    DrLDAP

    You are right, the number that you see in the description field in the resource profile is the ORC KEY. If you need to change this to show any value in the process form, you can do so by going to the provisioning workflow form in the design console and click of Map Descriptive field.
    I dont think it has been documented anywhere about the field name<space updated> task.
    The name Create User or Create Mailbox has no significance. you can really keep any name for the task. The way OIM understands that it needs to execute this task is if it sees the task is marked as "Required for Completion". all tasks marked required for completion will be executed by oim before it can say that provisioning has been completed. For e.g i a provisioning process all you might need to do is send a mail and not create any account etc.
    then you have a task "Send mail" (or any name) mark the task as required for completion. Now when this resource is granted by the admin to the user, this task would have executed. The name is not of essence when it comes to provisioning.

  • How to further restrict the task profile 'dimension' to selected dimensions

    Hi All,
    We have a dimension which we require users to maintain their own master data. We have used the secondary admin task profile which provides default access to the task 'dimension'. THis allows that user access to the BPC Admin console and also to the dimension to maintain dimension members. However, we wish to limit their access to only certain defined dimensions & not give them access to all dimensions. I have tested using this task profile together with a member access profile to limit the secure dimensions for an application, however my understanding is that member access profiles will not restrict access once a user has logged into the BPC Admin Client...i.e the member access profile restricts the ability to read/write to 'facts'/sign data from a BPC front end tool, EG excel.
    Any ideas much appreciated as to how to acheive this,
    Glen

    Hi,
    As you said for maintaining dimension members, you had to assign a task to the task profile. However, assigning this task will allow the user to modify any of the dimensions.
    You cannot give authorization to allow only selected dimensions. BPC doesnt have this feature. Either the user can modify all the dimensions or none of them.
    Hope this helps.

  • Printing the Resource Profile in the Tracking View

    As above.
    Struggling to print the profile section of the Tracking View - there's a checkbox to print the profile, but it's greyed out.
    Any suggestions - or a "it's not possible" - appreciated
    Versiobn 6.2.1 - SP 3
    David

    Hi,
    after selecting a resource in Resource Center, use "Resource Assignments" in the ribbon. In Resource Assignments view, use "Timephase Data" (second button from left).
    This will give you information about Actual Work.
    Hope that helps?
    Barbara
    To increase the value of this forum, please mark the replies that helped to solve your issue as answer. If you find answers to questions from other forum participants to be helpful, please mark them as helpful. Your participation will help others to find
    an appropriate solution faster. Thanks for your support!

  • OIM 9.1.0.2 Resource Profile Query

    Hello
    I need to get the usr_key or any info on the users in OIM that have a certain condition. I have a number of OID resources for users that have a status or 'provisioned' but when looking at the resource tasks the system validation is set to 'cancelled'. Due to this, updates are not flowing to these users. I am looking through the tables to try to find the resource task list and the status info so I can find the system validation cancelled and location those users. Does anyone have a query to search through and find all users with system validation = canceled and resource status as provisioned? Any help you can give would be appreciated.
    Thanks
    Nick

    I'm positive there's a great way to do it with SQL, but you'll need to look at 4 tables:
    1) OBJ (Objects) - Here you are looking in OBJ_NAME for 'OID User', once found get the OBJ_KEY value for the row.
    2) OST (Object Status) - In this table, you can find all the statuses for the OID User resource based on the OBJ_KEY value. Look for the applicable ones and get the OST_KEY value for each row.
    3) OIU (Object Instance for Users) - Now you can query this table for all results where OST_KEY equals the desired values as found in step 2.
    4) USR (Users) - Here you can get the User ID's (usr_login), User Key (usr_key) or any other value for users to help with the query.

  • Move Users from one OU to other on AD based on the OIM user profile attrs

    Hi All
    I am currently pre-populating AD User OU attribute based on the OIM User profile Location attribute. This is working as expected.
    Now when the location changes, I wanted to move the user from the current OU to a different one based on the location provided. Here I am kind of stuck.
    I think I can use access policies / User triggers to get this done, but is there any other approach / additional configuration for pre-populate.
    Are pre-populate only for the first time User Provisioning?
    Regards
    user12841694

    Hi Martin
    For the above requirement we have used lookups and could accomplish the task.
    However, I need a minor clarification here.
    I have OU dependent on Location Code & I also have Users Home Directory[on AD process form] dependent on Location Code.
    How should I use the User triggers to trigger both Change HomeDir and Change OU process tasks on AD User?
    I will create a dummy task with name "*Trigger Location Dependents*" and always return a "TRUE" response in the integrated adapter.
    Now upon true I will generate Change HomeDir & Change OU process tasks.
    I will provide Trigger Location Dependents name aganist USR_UDF_LOCATION code in the triggers lookup.
    Should this work or do u have any suggestion..Please
    Regards
    user12841694
    Edited by: user12841694 on Dec 23, 2010 6:59 AM

  • Assign a role automatically based on resources assigned to the user?OIM 11g

    Hi,!
    i have a request and this is:
    in my scenario i have roles associated with access policies that assign resources .
    i have resources assigned by a target reconciliation ... what i need is assign a role based on resources that the user has..
    if the user has 4 resources added by a target reconciliation and these 4 resources make a role then the role has to be assigned automatically...
    any idea?? this is possible?? thnx..

    any idea?? ... this is possible??

  • How to restrict the modification of a process form field.

    Hi,
    Is there a way out to restrict the modification of a process form field.
    I have a process form field loginid which can not be updated in a target. I want to achieve the same in OIM. I have not created any update task for the field but if the user changes the loginid field then it is getting saved in the OIM database and hence any operation thereafter is falling.
    Thanks

    Hi Kevin.
    I really appreciate your help.
    But I tested your configuration in our environment and it doesn't work. The same error (The Resource has not been configured properly) is displayed when I try a provisioning for that resource. Anyway, we could not use this configuration here, because end-users shall have the option to change some values in their process form.
    I don't know why, but seems that when I define any field as Display-Only, the prepopulate adapter runs in a post-insert schedule and a error is given cause it try to fulfill a display-only field, which is not allowed.
    I try an alternative configuration, which works properly:
    - keep the field User ID as Text Field.
    - use the prepopulate adapter to populate this field with the User Login (previously defined in the User Definition form)
    - delete the property "required = true" to this field
    - set property "visible = false" to this field
    In this way, the end-users can modify the other fields, except User ID. Otherwise, they never will can see their own User IDs while making a request. For new users it will not be a problem because their User Login (on User Definition) and User ID (on Process Form) will be exactly the same, but for users that already exists in the target system, this values will be different which can originate small issues.
    Until achieve an understanding about why a display-only field can not be filled by an pre-populate adapter, I will use this setting above.
    Regards.

  • Removing items in Resource Profile

    Hello,
    I had a poorly configured AD adapter while test provisioning a few users, and now the Resource Names are stuck in a permanent "Provisioning" status. Inside, all task say "Cancelled". Can I do anything to remove the bad "AD User" resources from a user's Resource Profile?
    Thanks much
    Alex

    Certainly Yes. As you said that your tasks are in a status of canceled, so it means its equivalent to the Delete Resource use case. This process might be similar to the Task Archival process provided by the OOTB OIM. Refer the following section of the documentation for Section-10 Using the Task Archival Utility
    http://download.oracle.com/docs/cd/E14049_01/doc.9101/e14059/tasks_archival.htm#sthref96
    Hope it helps.
    Thanks
    Sunny

  • Restrict the user   based on document type on migo transaction-prepare GRN

    Hi,
    We are running ECC6.0 R/3 system.We had a requirement as follows
    In MIGO transaction , we want to restrict the user on document type i.e. we want that a particular user can  prepare GRN for document type  STO only. He cannot prepare GRN for other document type.
    We checked  SU24->maintain check indicators for transaction codes->enter migo->execute->check indicator.This returned us the authorisation objects present in Migo transaction.We checked the help of all these objects,but none of them we found suitable for above mentioned requirement.We were planning to find out the proper authorisation object to add to Profile generater.
    The following is the objects which we have checked for.
    A_B_ANLKL-->     Asset Postings: Company Code/Asset Class
    A_B_BWART-->     Asset Postings: Asset Class/Transaction Type
    B_USERSTAT-->     Status Management: Set/Delete User Status
    B_USERST_T-->     Status Management: Set/Delete User Status using Process
    C_AFKO_AWK-->     CIM: Plant for order type of order
    C_CACL_DSG-->     Interface Design
    C_DRAW_BGR-->     Authorization for authorization groups
    C_DRAW_DOK-->     Authorization for document access
    C_DRAW_TCD-->     Authorization for document activities
    C_DRAW_TCS-->     Status-Dependent Authorizations for Documents
    C_KLAH_BKP-->     Authorization for Class Maintenance
    C_STUE_BER-->     CS BOM Authorizations
    C_STUE_WRK-->     CS BOM Plant (Plant Assignments)
    C_TCLA_BKA-->     Authorization for Class Types
    C_TCLS_BER-->     Authorization for Org. Areas in Classification System
    C_TCLS_MNT-->     Authorization for Characteristics of Org. Area
    F_BKPF_BUK-->     Accounting Document: Authorization for Company Codes
    F_BKPF_BUP-->     Accounting Document: Authorization for Posting Periods
    F_BKPF_KOA-->     Accounting Document: Authorization for Account Types
    F_FICA_FOG-->     Funds Management: authorization group of fund
    F_FICA_FSG-->     Funds Management: authorization group for the funds center
    F_FICB_FKR-->     Cash Budget Management/Funds Management FM Area
    F_KNA1_APP-->     Customer: Application Authorization
    F_LFA1_APP-->     Vendor: Application Authorization
    F_SKA1_BUK-->     G/L Account: Authorization for Company Codes
    G_GLTP  -->       Spec. Purpose Ledger Database (Ledger, Record Type, 
                                   Version)
    J_1IDEP_SL-->     Authorization object for depot sale transaction
    J_1IEXC_OT-->     Authorization object for Other Excise Invoice Create
    J_1IEX_PST-->     Autorization object for posting Other Excise invoice
    J_1IGRPT1-->     Auth. for PART1 at GR
    J_1IINEX  -->            Incoming Excise Invoice
    J_1IRG23D-->     Authorisation object for Depo Transactions
    K_CCA-->                     CO-CCA:  Gen. Authorization Object for Cost Center 
                                    Accounting
    K_CSKS     -->                CO-CCA:  Cost Center Master
    K_CSKS_SET-->     CO-CCA: Cost Center Groups
    K_PCA-->                    EC-PCA: Responsibility Area, Profit Center
    L_TCODE-->                    Transaction Codes in the Warehouse Management System
    M_ANFR_BSA-->     Document Type in RFQ
    M_ANFR_EKG-->     Purchasing Group in RFQ
    M_ANFR_EKO-->     Purchasing Organization in RFQ
    M_ANFR_WRK-->     Plant in RFQ
    M_BEST_BSA-->     Document Type in Purchase Order
    M_BEST_EKG-->     Purchasing Group in Purchase Order
    M_BEST_EKO-->     Purchasing Organization in Purchase Order
    M_BEST_WRK-->     Plant in Purchase Order
    M_MATE_CHG-->     Material Master: Batches/Trading Units
    M_MATE_STA-->     Material Master: Maintenance Statuses
    M_MATE_WRK-->     Material Master: Plants
    M_MRES_BWA-->     Reservations: Movement Type
    M_MRES_WWA-->     Reservations: Plant
    M_MSEG_BMB     -->Material Documents: Movement Type
    M_MSEG_BWA-->     Goods Movements: Movement Type
    M_MSEG_BWE-->     Goods Receipt for Purchase Order: Movement Type
    M_MSEG_BWF-->     Goods Receipt for Production Order: Movement Type
    M_MSEG_LGO-->     Goods Movements: Storage Location
    M_MSEG_WMB-->     Material Documents: Plant
    M_MSEG_WWA-->     Goods Movements: Plant
    M_MSEG_WWE-->     Goods Receipt for Purchase Order: Plant
    M_MSEG_WWF-->     Goods Receipt for Production Order: Plant
    M_RAHM_BSA-->     Document Type in Outline Agreement
    M_RAHM_EKG-->     Purchasing Group in Outline Agreement
    M_RAHM_EKO-->     Purchasing Organization in Outline Agreement
    M_RAHM_WRK-->     Plant in Outline Agreement
    Q_TCODE     QM -->         Transaction Authorization
    S_ADMI_FCD-->     System Authorizations
    S_ALV_LAYO-->     ALV Standard Layout
    S_BDS_DS-->     BC-SRV-KPR-BDS: Authorizations for Document Set
    S_BTCH_ADM-->     Background Processing: Background Administrator
    S_BTCH_JOB-->     Background Processing: Operations on Background Jobs
    S_CTS_ADMI-->     Administration Functions in Change and Transport System
    S_DATASET-->     Authorization for file access
    S_DEVELOP-->     ABAP Workbench
    S_DOKU_AUT-->     SE61 Documentation Maintenance Authorization
    S_GUI-->                     Authorization for GUI activities
    S_OC_DOC-->     SAPoffice: Authorization for an Activity with Documents
    S_OC_ROLE-->     SAPoffice: Office User Attribute
    S_OC_SEND-->     Authorization Object for Sending
    S_PACKSTRU-->     Internal SAP Use: Package Structure
    S_PRO_AUTH-->     IMG: New authorizations for projects
    S_RFC-->                     Authorization Check for RFC Access
    S_SCD0     -->                Change documents
    S_SPO_DEV-->     Spool: Device authorizations
    S_TABU_DIS-->     Table Maintenance (via standard tools such as SM30)
    S_TCODE     -->                Transaction Code Check at Transaction Start
    S_TRANSLAT-->     Translation environment authorization object
    S_TRANSPRT-->     Transport Organizer
    S_WFAR_OBJ-->     ArchiveLink: Authorizations for access to documents
    V_LIKP_VST-->Delivery: Authorization for Shipping Points
    V_VBAK_AAT-->Sales Document: Authorization for Sales Document Types
    V_VBAK_VKO-->Sales Document: Authorization for Sales Areas

    Have you executed a trace while a functional user executes the transaction code for the specific parameters? (i.e. document type). The trace will then show which objects are being checked; then look at the object documentation in txn Su21 to determine if there are any ways to restrict on the particular value; in some cases, if the authorization group field is being checked, additional configuration is needed in order to implement the security (Su21 will explain in detail for the particular object).

  • How to restrict the user from making any changes in Sales order- item level

    Hi to all
    How to restrict the users from making any changes in sales order at item level if the same sales order is released by senior user through status profile.
    Regards
    Anish Parikh
    Edited by: anish parikh on Jan 24, 2008 5:16 AM

    Hi Anish,
    This can be achieved through the roles and authorization.
    This can be done through the basis team. they can create user profiles and roles.
    For the roles they assign some transaction codes so that they can view the only assigned tr. codes.
    Like that ur requirement can be done.
    Also u can prevent the user to change any fields in the sales order screen (VA02). for that please modify the authorisations.
    Hope i answers.
    Reward points if useful.
    Edited by: kaleeswaran bhoopathy on Jan 24, 2008 9:57 AM

  • How to restrict the authorization to change backgroud configuration

    hello , I copy some users from my admin user which contain the sap_all profile. so these uses can change background configuration.     now,  I want to restrict the authorization that they can only view the background configuration but can not change it .        how can I set this authorization?     Can I change the sap_all profile? how to set it?
    thanks.

    Hi,
    You can copy the SAP_ALL profile to a new name say Z_SAP_ALL and provide display access to all the authorization object and make sure you remove all the critical tcodes in the Z_SAP_ALL profile.
    Once you are done with testing the role assign it to the user.
    Also search the threads in the forum...
    Rakesh

  • Defining Authorizations for User to restrict the data in report.

    Hi Gurus,
    I have no idea on authorization concept in BI. Please give me anyone steps to creating authorization objects, roles and profiles to restrict the data for users.
    Ex.
    i have functinal location info object checked as authorization relavent with below data.
    FL001
    FL002
    FL003
    FL004
    FL005
    FL006
    FL007
    FL008
    FL009
    We have users like below.
    User1
    User2
    User3
    Now, if User1 is analysing a report he can see only FL001, FL005, FL009 only, remaining have to be omited.
    If User2 is analysing that report he can see only FL002, FL003, FL009. And like wise.
    So, Please help me providing the completed steps. I have done somting but failed.
    Thanks in advance
    Peter.

    Hello Peter,
    Please go through the following links
    Authorization :
    http://help.sap.com/saphelp_nw70/helpdata/en/59/fd8b41b5b3b45fe10000000a1550b0/frameset.htm
    SAP Authorization Concept :
    http://help.sap.com/saphelp_nw70/helpdata/en/52/671285439b11d1896f0000e8322d00/frameset.htm
    Thanks.
    With regrads,
    Anand Kumar

Maybe you are looking for

  • NumberFormat Exception

    I have no idea why I am getting this error. It is kind of freaky because sometimes it appears and other times it doesn't. This is the piece of code it is coming from: for (int w = 0; w <= pm-pf; w++) {    jTable4.setValueAt("Survey", new Integer(Sele

  • Installing 1.3.1_08 on Windows XP

    I have recently downloaded and installed jdk 1.3.1_08 on Windows XP. I began programming and when I went to compile the program a received the following error 'javac' is not recognized as an internal or external command, operable program or batch fil

  • Insert Applescript in ObjC with variables?

    Hello, I know you can insert Applescript in ObjectiveC like this: NSString *myScript = [@"display dialog \"This a a dialog pop up\""]; NSAppleScript *script = [[NSAppleScript alloc] initWithSource:myScript];        [script executeAndReturnError:nil];

  • On calendar with ipad in day screen, when i sync with macbook pro i get a alert (time)in the left column on the ipad.

    when i'm on the calendar for the ipad, when i  sync with my macbook pro from what was put on that computer, when it transfers over to the ipad on the left column of the day screen, i always get an alert column-I dont get an alert column when i use th

  • .flv in Dreamweaver

    I am trying to insert a .flv file into my Dreamweaver site. I have the Classroom in a Book for Dreamweaver CS5. I am doing exactly what the book is telling me I should be doing, but when I go to view the page in a browser, all I get is a white box wh