Role creation in OIM 11.1.1.5.0 fails with LDAP Sync Enabled

Similar Messages

• OVD/OID group reconciliation in OIM 11g with LDAP sync

  Hi All!
  Is it possible to reconcile OID groups to OIM using LDAP sync? How to achieve such configuration?
  I have OIM with LDAP sync and user and roles provisining to OVD is working.
  best
  mp

  Hi,
  I want to Integrate OIM and OID. Can you guide me in doing so?. The platform I will use is Windows 2003 Server, OIM version is 9.1. Also please tell me which version of OID i should use.
  Note: I am new to OID and OIM.
  Thanks in advance.
  Regards,
  Kazmi

• How to update UDF in OID11g(OIM 11g configured with LDAP SYNC)

  Hi All,
  I have configured OIM11g with LDAP SYNC and it is working fine. i have added some UDF on the user creation form and the same attributes has been created on OID as well. Now, when i create users on OIM with these custom attributes the values are not getting updated on OID resource, can anyone please let me know how to update these attributes on OID?
  Thanks in advance,

  to Update a UDF you must assign a copy value adpter in Lookup.USR_PROCESS_TRIGGERS（design console / lookup definition）
  eg.
  CODE --------------------------DECODE
  USR_UDF_MYATTR1----- Change MYATTR1
  USR_UDF_MYATTR2----- Change MYATTR2
  Edited by: Lighting Cui on 2011-8-3 上午12:25

• Bulk load in OIM 11g enabled with LDAP sync

  Have anyone performed bulk load of more than 100,000 users using bulk load utility in OIM 11g ?
  The challenge here is we have OIM 11.1.1.5.0 environment enabled with LDAP sync.
  We are trying to figure out some performance factors and best way to achieve our requirement
  1.Have you performed any timings around use of Bulk Load tool. Any idea how long will it take to LDAP sync more than 100,000 users into OID. What are the problems that we could encounter during this flow ?
  2.Is it possible we could migrate users into another environment and then swap this database for the OIM database? Also is there any effective way to load into OID directly ?
  3.We also have some custom Scheduled Task to modify couple of user attributes (using update API) from the flat file. Have you guys tried such scenario after the bulk load ? And did you face any problem while doing so ?
  Thanks
  DK

  to Update a UDF you must assign a copy value adpter in Lookup.USR_PROCESS_TRIGGERS（design console / lookup definition）
  eg.
  CODE --------------------------DECODE
  USR_UDF_MYATTR1----- Change MYATTR1
  USR_UDF_MYATTR2----- Change MYATTR2
  Edited by: Lighting Cui on 2011-8-3 上午12:25

• Role creation fails in OIM

  Hi,
  I have configured OIM 11.1.1.5 with LDAP sync. I am able to create users in OIM and these users are created in OID. Changes made to user account in OID gets reflected in OIM.
  However, when i create roles in OIM11g, it throws error but role gets created in OID.
  trace from logs:
  [2012-08-10T03:07:24.367+00:00] [oim_server1] [ERROR] [IAM-0042006] [oracle.iam.platform.entitymgr.provider.ldap] [tid: [ACTIVE].ExecuteThread: '25' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 11d1def534ea1be0:2559799b:1390e6ffc4a:-8000-000000000000115c,0] [APP: oim#11.1.1.3.0] An error occurred while looking up the entity in LDAP, and the corresponding error is - {0}[[
  java.lang.NullPointerException
       at javax.naming.InitialContext.getURLScheme(InitialContext.java:269)
       at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:377)
       at javax.naming.directory.InitialDirContext.getURLOrDefaultInitDirCtx(InitialDirContext.java:101)
       at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:133)
       at oracle.iam.platform.entitymgr.provider.ldap.LDAPUtil.getAttributes(LDAPUtil.java:1119)
       at oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.lookup(LDAPDataProvider.java:977)
       at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.findEntity(EntityManagerImpl.java:603)
       at oracle.iam.platform.entitymgr.vo.Entity.getAttribute(Entity.java:189)
  When i run a diagnostic test for orchestration, i get the following
  Id     Stage     Status     ChangeType     ParentId     Child Count     Retry Count
  1260     COMPENSATE     COMPENSATED     null     0     0     0
  List Of Events With ProcessId: 1260
  Id Name     Stage     Status     Sync     Result
  2553     RoleValidationHandler      VALIDATE     COMPLETED     true     null
  2552     RolePreProcessActionHandler      PREPROCESS     COMPENSATED     true     null
  2560     PostSubmissionDataActions     PREPROCESS     COMPENSATED     true     null
  2558     ApprovalInitiation      PREPROCESS     COMPENSATED     false     null
  2559     PostApprovalActions     PREPROCESS     COMPENSATED     false     null
  2561     RoleCreateLDAPPreProcessHandler     PREPROCESS     FAILED     true     oracle.iam.platform.kernel.EventFailedException: Failed to execute the handler.
  not sure as why the event handler is failing.
  please suggest.
  Thanks

  On further observation found that orclobjectguid for users and roles is not being set in OID. However in the oim profile, i am able to see the ldapguid for users. In the RA_LDAPUSERS and RA_LDAPROLE table, value for orclobjectguid is null due to which there is no linking.

• OIM 11g LDAP Sync Features

  Folks,
  I`ve been researching the LDAP sync option in OIM 11g and I have some questions.
  1. Is it true that once enabled, the user does not exist in OIM DB but only in LDAP?
  2. Can we define rules such that only a certain set of users are in LDAP and some are only in OIM?
  3. Can we define rules for Roles that only certain roles in OIM exist in LDAP but not all? I`d like to keep the business roles only in OIM.
  4. I currently have 3 connectors for AD, eDir and OID with OIM 10g and I am researching the option to remove these connectors and use the LDAP sync with OVD. Can this be achieved? What would be the challenges if I were to replace the connectors with LDAP sync?
  Regards,
  AZ

  Well for the connectors in 10g I plan to export them and then import in 11g. The versions are certified.
  For LDAP sync with multiple directories, I've heard of using OVD. So the Directory Server IT Resource would point to OVD and multiple containers in OVD would be mapped to each of the individual directories. OVD adapters would define connection to these directories.
  I have to see if this is feasible keeping in mind the workflows that have been customized in 10g, I don't think every workflow customization can be done in LDAP sync as well. Plus we would lose track of which attributes are provisioned to which LDAP. This is a user-ldap entry mapping, there would be no accounts in resource profile.

• OIM 11g LDAP sync from different LDAP containers

  Hi,
  I have been setting up OIM 11g R2 (11.1.2) to use LDAP Sync to OID.
  As of now the sync works (both ways) for this container:
  cn=users,cn=oracleAccounts,dc=mycompany,dc=com (configured while doing the OIM config)
  Would it be possible to sync users in other containers as well? For example:
  cn=users,cn=otherAccounts,dc=mycompany,dc=com
  cn=users,cn=moreAccounts,dc=Otherstuff,dc=com
  By editing the file LDAPContainerRules.xml I can setup where the users are created when I create them through IDM.
  But that will not make the sync work for those containers.
  Any ideas where I should start to accomplish the above?
  Thanks & Regards,
  Henrik

  Okay, I think I have found an answer to how to sync users from different OU:s in my OID to different OIM organizations.
  Hopefully this will help others.
  We can use a PostProcess Event handler like this:
  1. Implement the method --> public BulkEventResult execute()
  This is used during recon actions.
  2. Get the user hashmap with attributes and set the "act_key" value with the OIM organizations ID.
  You also needs to build the logic to fetch the users "LDAP DN", which is also fetched from the map.
  From that attribute we can decide which Organization to put the user in.
  This is the best solution we have found yet..
  Docs & tips:
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/oper.htm#CCHFBGAA
  http://fusionsecurity.blogspot.se/2011/09/oim-11g-event-handler-example.html (thank you Daniel Gralewski)
  Regards,
  Henrik

• OIM and ldap sync

  I am using OIM 11gR2 and OID 11.1.1.6. Users and groups will be in OID, and OIM is
  required to do the provisioning of users. Plan is to use ldap sync between oid and oim.
  With ldap sync, all users will be available in OIM. And then in OIM can one do the
  provisioning of users. Is this approach ok? Or should we have OID connector? Or both?

  You can use LDAP Sync between OIM and OID. You dont need OID connector in this case.
  More here...
  Why would you use the LDAP Sync instead of the OID Connector?
  http://fusionsecurity.blogspot.com/2012/01/oim-11g-ldap-synchronization.html

• How to authenticate OIM from AD using LDAP sync

  Hi Team,
  We do not want to use password synchronization connector for AD password sync to OIM
  After reading few article' I found two probable ways for it:
  1. Authenticate OIM via AD using libOVD with OIM and LDAP sync enable
  2. Authenticate OIM via AD using libOVD, OID and LDAP sync enable.
  Please suggest whether theses approcahes are practicaly possible or not.
  If yes then please shae related architecture docs.
  Thanks,
  Gaurav

  Here is the one of the doc:
  Configuring LDAP Authentication When LDAP Synchronization is Enabled

• OIM: Invalid ManagerLogin during first time Recon with LDAPSync

  Hey All,
  I just installed OIM with LDAP Sync. I can create users in OIM and they get pushed to OID just fine. When I try to run a full Recon though, OIM creates events for all the users, but they are all stuck, all with the same note:
  oracle.iam.reconciliation.exception.InvalidEventException: Invalid ManagerLogin : MLEGGIO at
  I'm guessing it's invalid because it doesn't exist, but no one exists yet... am I missing something?
  Thanks
  Alex

  From where are you doing full recon from? Also did you check if you have the user "MLEGGIO" in OIM? The problem I see is that you doing a trusted recon to load a user say "X" whose manager is "M" but "M" does not exists in OIM, so OIM will not be able to create that user. The workaround to this is to create a UDF in OIM and map it to the manager from the target. Later on once the user "X" is created in OIM then run another schedule task which takes the manager from UDF (i.e. "M") and if "M" exists in OIM then will set it to the OOTB manager field in OIM for "X"
  -Bikash

• How to obtain Role name in OIM 11g using API's

  Hello,
  I have a scenario in which I create Role/Group in OIM 11g & it gets provisioned in AD [=works fine] & other part is when i delete role in OIM 11g then it should
  get deleted from AD.I have written postprocess event handler to achieve this.
  In role creation part i get all parameters using "orchestration.getParameters();" , but when i delete role then "orchestration.getParameters();" is empty,so i am
  not able to get role name.
  Is there a way to get role name while deleting roles using API ?
  Thanks,
  Rahul Shah

  Hi Raghav,
  Following is my code :
  tcRODetails = orgOpInterface.getObjects(organizationKey);
  for(int i = 0;i < tcRODetails.getRowCount();i++){
  tcRODetails.goToRow(i);
  // resourceName=AD Group
  if(resourceName.equalsIgnoreCase(tcRODetails.getStringValue("Objects.Name"))&&
  tcRODetails.getStringValue("Objects.Object Status.Status").equalsIgnoreCase("Provisioned")||
  tcRODetails.getStringValue("Objects.Object Status.Status").equalsIgnoreCase("Enabled")) {
  System.out.println("<<<FOUND>>>");
  processKey = tcRODetails.getLongValue("Process Instance.Key");
  provisionObjectKey = tcRODetails.getLongValue("Objects.Key");
  tcProcessSet = oimFormUtility.getProcessFormData(processKey);
  for(int j=0;j<tcProcessSet.getRowCount();j++){
  tcProcessSet.goToRow(j);
  if(grpName.equalsIgnoreCase(tcProcessSet.getStringValue("UD_ADGRP_NAME"))){
  System.out.println("MATCH FOUND!!!!!");
  orgOpInterface.removeObjectAllowed(organizationKey,provisionObjectKey);
  break;
  & i get following error :
  <Mar 22, 2012 1:54:43 PM IST> <Error> <XELLERATE.APIS> <BEA-000000> <Class/Method: tcOrganizationOperationsBean/removeObjectAllowed encounter some problems: Object with key=7 is not already set as an allowed object for Organization with key=1>
  Thanks
  Rahul Shah

• JmsQueueConnectionFactory error post user role creation

  Hi All,
  I installed OIM R2 Ps2 successfully. I tried to create a user , got the error javax.naming.NameNotFoundException:While trying to looup jms.QueueConnectionFactory. But the user got created when i rechecked.
  Same error popped up during role creation. But the role too got created.
  please help me to resolve this error. I dont know what kind of impact this error will create later.
  pls find the below screenshot.
  Thanks.

  Here is the solution :
  The issue was with metadata that has been imported as part of patch deployment (BP06).
  /db/ldapMetadata/EventHandlers.xml has been imported with wrong name. Just deleted meta data it start working.
  Regards,
  Krishna

• Request Number is not generated for BRM "new" role creation

  Hello Gurus,
  I have configured BRM in SAP GRC AC 10, along with the workflow .
  I have selected the following methodology
  Define Role --> Maintain Auth >Analyze & Access Risk>Request Approval>Generate Roles>Maintain Test Cases
  Role name : Y_TEST_BRM_FUNCTIONALITY
  So i do the following steps and assign
  1) Role approver as Mr. ABC & Alternate approver as Mr. QRS
  2) Assign the Required transactions and do the RAR i.e i am done till step 3 of methodology
  When i click "Initiate Approval request"
  The approval triggers , and goes to the 1st stage as configured in MSMP
  1) Power User Approval .
  Here the Power User : EFG , open his workflow and see the request as
  Role approval required for role Y_TEST_BRM_FUNCTIONALITY
  The approver approves the request and then the request all together vanishes.
  Unfortunately i am not able to search the request for that role from NWBC -->Search request by
  Process Id : Role Approver Workflow
  It gives blank !!
  Hence neither i am able to find the request no able to do any debugging of it using
  GRFNMW_DBGMONITOR_WD
  Please note that the Request Id is created for any request in CUP.
  Is it that i have to create a number range for BRM request ??
  If so will you please let me know the object

  Hello All,
  I was wrong in posting the cause of problem.
  Please note no "Request number" is generated for Role creation Request.
  The problem was i was unable to search the Role Request approval status from "Search Request" via  Process Id
  It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
  My Issues is Resolved.
  Thank You.
  Regards,
  Victor

• BRM-No Role Creation

  Hi gurus,
  I have just upgraded my GRC 10.0 to SP18 and when I access to create a new role in the NWBC, the button is in grey, I mean, I can not start the creation of it. However, I can modify the roles without problems.
  Any idea of what can be happening?
  Thanks,
  Regards,

  Hello All,
  I was wrong in posting the cause of problem.
  Please note no "Request number" is generated for Role creation Request.
  The problem was i was unable to search the Role Request approval status from "Search Request" via  Process Id
  It got resolved via SAP note 1643539 : UAM: Search Request not returning result for some Process Id.
  My Issues is Resolved.
  Thank You.
  Regards,
  Victor

• Role Creation in CUP 5.3

  Hello,
  I'm trying to understand the concept of what is called "role creation" in Compliant User Provisioning.
  My understanding is that the "create role" option in CUP (configuration>Roles>Create Role) means simply adding the "attributes" such as a business process, functional area, system, or company, to the SAP roles that you imported into CUP.  
  It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
  Please tell me if I'm wrong.
  HM

  HM,
    The create role option in CUP is mainly for legacy/non-cup supported systems. This way you can follow the standard workflow process for LDAP/Windows/legacy system. In this user provisioning and role assignment will not be done through CUP and will be manual. This is very important for some companies as they want user to go through same process if they want to get access to any system and not only ERP system.
  The below statement is wrong.
  It seems that, with CUP, once you have imported SAP roles and "adjusted" them (adding attributes), you are no longer operating PFCG and SU01 in the SAP backend system. From this point on, everything is done in CUP (provisioning) and ERM (creating additional roles).
  If you don't have ERM then you will have to use PFCG. Once you have CUP, you don't have to use SU01.
  Regards,
  Alpesh