Role management in OIM 11g.

Similar Messages

• How to obtain Role name in OIM 11g using API's

  Hello,
  I have a scenario in which I create Role/Group in OIM 11g & it gets provisioned in AD [=works fine] & other part is when i delete role in OIM 11g then it should
  get deleted from AD.I have written postprocess event handler to achieve this.
  In role creation part i get all parameters using "orchestration.getParameters();" , but when i delete role then "orchestration.getParameters();" is empty,so i am
  not able to get role name.
  Is there a way to get role name while deleting roles using API ?
  Thanks,
  Rahul Shah

  Hi Raghav,
  Following is my code :
  tcRODetails = orgOpInterface.getObjects(organizationKey);
  for(int i = 0;i < tcRODetails.getRowCount();i++){
  tcRODetails.goToRow(i);
  // resourceName=AD Group
  if(resourceName.equalsIgnoreCase(tcRODetails.getStringValue("Objects.Name"))&&
  tcRODetails.getStringValue("Objects.Object Status.Status").equalsIgnoreCase("Provisioned")||
  tcRODetails.getStringValue("Objects.Object Status.Status").equalsIgnoreCase("Enabled")) {
  System.out.println("<<<FOUND>>>");
  processKey = tcRODetails.getLongValue("Process Instance.Key");
  provisionObjectKey = tcRODetails.getLongValue("Objects.Key");
  tcProcessSet = oimFormUtility.getProcessFormData(processKey);
  for(int j=0;j<tcProcessSet.getRowCount();j++){
  tcProcessSet.goToRow(j);
  if(grpName.equalsIgnoreCase(tcProcessSet.getStringValue("UD_ADGRP_NAME"))){
  System.out.println("MATCH FOUND!!!!!");
  orgOpInterface.removeObjectAllowed(organizationKey,provisionObjectKey);
  break;
  & i get following error :
  <Mar 22, 2012 1:54:43 PM IST> <Error> <XELLERATE.APIS> <BEA-000000> <Class/Method: tcOrganizationOperationsBean/removeObjectAllowed encounter some problems: Object with key=7 is not already set as an allowed object for Organization with key=1>
  Thanks
  Rahul Shah

• Pushing password to all managed resources - OIM 11g R2

  I have a multiple resources I'm managing in OIM. We have AD authentication enabled for user's to log into OIM. When a user changes the password, I would like to change it in all resources. I'm planning on having an event handler to push the password to all resources. Is there another way to do this?
  When a user is changing his/her own password, they have an option to select the resource they want to change the password. Is there a way to hide those other resources from the drop-down? So the drop-down will only have Oracle Identity Manager.

  found an answer at OIM11gr2 change password

• How to execute vb script with out using Remote manager in oim 11g r2

  Hi Currently,
  i have a requirement to execute  vb script (present on a remote machine in which connector server is installed) from oim machine while using Exchange connector (11.1.1.6).
  This can be achieved by using remote manager,but i dont want to use remote manager.
  Hence decided to use Action scripts.
  As per connector configuration,
  i have configured Action scripts in Lookup.Exchange.UM.Configuration lookup definition, by means of three entries
  After Create Action Language      Shell
  After Create Action Target           Resource
  After Create Action File              /home/scripts/Disable.bat
  Disable.bat has the following ,
  Powershell.exe -File C:\scripts\Setup.vbs
  -%Log on Name%
    Exit
  As Setup.vbs is expecting a parameter of log on name, i was providing the same.
  But while creating the user,as this script gets called, getting the following error and hence 'create User' is getting failed.
  Problem while PowerShell execution System.Management.Automation.RemoteException: This task does not support recipients of this type. The specified recipient XXXXXXXXXXX...XXXXX is of type UserMailbox. Please make sure that this recipient matches the required recipient type for this task.
  While provisioning the user to Exchange , i have selected 'Recepient type' as 'User Mail box' explicitly, but still getting the error.
  Please provide any pointers to resolve the issue.
  Thanks in advance
  Kumar

  As far as I know Oracle and MySQL are two different products.
  Why do you clutter an Oracle forum with MySQL questions?
  If MySQL is such a tremendous RDBMS, like many people state (as 'free' means per definition better),
  why don't you visit a MySQL forum where fellow MySQL aficionados can answer you MySQL questions?
  In short, why don't you stop abusing Oracle forums?
  Sybrand Bakker
  Senior Oracle DBA

• OIM 11g R2 : AD Group Management

  Hi,
  I'm looking to implement a POC for creation and deletion of Active Directory groups (Group Management) from OIM 11g R2. I was going through AD connector documentation. But it doesn't see to be evident in the documentation on on how to achieve the functionality. Can anyone throw some light on how to implement this? Do we need any customizations?
  Thanks,
  Raj

  Hi,
  I'm looking to implement a POC for creation and deletion of Active Directory groups (Group Management) from OIM 11g R2. I was going through AD connector documentation. But it doesn't see to be evident in the documentation on on how to achieve the functionality. Can anyone throw some light on how to implement this? Do we need any customizations?
  Thanks,
  Raj

• Request Approval Process exception in OIM 11g

  Hi,
  We have upgraded oim 9.1 to oim 11.1.1.5 and we did not have any request approvals in oim 9.1.
  Now we are using oim 11g to develop request approval process. We have tried to raise a request for "Provisioning Resource" - Application Access and "Assign Role" - Business Role Request in OIM 11g environment. Both the Requests are failing with the same exception as below,
  Error:
  IAM-2050014:An error occurred while initiating approvals for request oracle.iam.platform.workflowservice.exception.IAMWorkflowException: Tasklist mapping failed for workflowdefinition: default/DefaultRequestApproval!1.0 due to javax.naming.NamingException: String index out of range: -1. The corresponding error message is {1}.
  Any idea on the above error?
  Thanks!!

  you can follow these videos to see if you can get a basic manager approval working for a self request resource.
  http://www.youtube.com/watch?v=KCA_cxKsi_o&feature=channel_video_title

• OIM 11g R1 Request Template issue

  Hi All,
  We are facing an issue with implementing the Request Management of OIM 11g R1 11.1.1.5 for Create User.
  OIM already provides OOTB CreateUserDataSet.xml and a ‘Create User’ Request Template.
  We have changed(customized) the OOTB CreateUserDataSet.xml at the same location in MDS and have created one our own Request Template – ‘Create Custom’.
  We have also added Attribute Restrictions in the ‘Create Custom’  request template for mandatory fields like – ‘Organization’, ‘User Type’ & ’Design Console Access’.
  The issue we are facing is –“After some time(not immediately) the Request Template gets corrupt and does not open thus rendering the Request Process for Create User inoperable.”
  Below is the the log error of the OIM Web console error after we are trying to open ‘Create Custom’ by clicking on the Request Template.
  <ADF_FACES-60096:Server Exception during PPR, #8
  oracle.iam.platform.utils.MinLimitException: size < minimum limit
                  at oracle.iam.platform.canonic.model.Values.setMinLimit(Values.java:187)
                  at oracle.iam.requesttemplate.agentry.operations.OpenActor.renderAttributeRestrictionsTab(OpenActor.java:829)
                  at oracle.iam.requesttemplate.agentry.operations.OpenActor.prepare(OpenActor.java:198)
                  at oracle.iam.consoles.faces.utils.CanonicUtils.prepareOperation(CanonicUtils.java:169)
                  at oracle.iam.consoles.faces.utils.CanonicUtils.prepareOperation(CanonicUtils.java:179)
                  at oracle.iam.consoles.faces.render.canonic.UICursor$TableActionListener.processAction(UICursor.java:855)
                  at javax.faces.event.ActionEvent.processListener(ActionEvent.java:88)
  Any help in solving above issue, workarounds or knowing that is it an OIM bug will be greatly helpful.
  Note* I have noticed(through Export) that in a corrupted Request Template the Organization Name that I have restricted to a Constant, has the- Organization Name's Text as value in exported xml. If I change it back to ACT KEY and import it back in OIM the Template is again restored until next corruption
  Thanks already
  Regards,
  Nitin Tewari

  Excellent! Thank you very much!
  Edited by: 958794 on May 22, 2013 10:37 AM

• Customize the look and feel of OIM 11g R2 selfsevice page

  Hi All,
  we need to customize the self service UI as per the styles used by client, for eg the background colors, fonts, tab colors, fontcolor etc, I tried doing by configuring skin but the docs say place it in admin.war and cannot find admin.war anywhere.
  Can anyone please help me out? Where to place the trinidad files and my custom css. Also, what will be the high level style classes that I need to override.
  Thanks

  refer the section 30.3 "*Skin Customization in Oracle Identity Manager*" in OIM 11g R2 Developer guide.
  HTH

• OIM 11g R1 - Container for Roles

  Hi,
  is it possible to create container for roles?
  For Example:
  Container1: RoleA, RoleB, RoleC
  Container2: RoleV, RoleY, RoleZ
  The reason is, i want to create authorization policies, which allows the user to assign specials roles. The problem is, that a lot of roles will be added during the operation. This means, if a new role will be created, i have to edit the authorization policy
  The best way is, i assign a Role-Container to the authorization policy. If i create a new role, i add the role to the special container.
  Is this possible in OIM 11g R1?
  Edited by: 960944 on Apr 3, 2013 5:18 AM

  Yes, you can do that using authorization policy.
  Try this:
  Create a Role called 'X'
  Create a Authorization Policy of Role Management Entity Type called 'X Role Authz Policy' and under the Permission tab:
  Grant Modify Role Membership, Search for ROle, View Role Detail and View Role Membership
  Under Data Constraints: Add all the roles that a user can self assign except SYS ADMIN role.
  Under Assignemnt: Add Role 'X'
  Save and apply to test it.
  You can have a look at the default Role Management All Users Policy for reference.
  Regards,
  Sunny

• Error in oim Role creation using Role Manager Service API from Standalone Java client

  Hi,
    Facing the following error when trying to create Role using Role Manager Service API from a standalone java client .
  Tried with the solution of changing ,
  Login into the Web Logic Admin Console --> Servers --> OIM Server --> Protocols --> Modify the Maximum Message from 100000000 to 1000000000, but still the problem persists.
  Exception in thread "main" org.omg.CORBA.BAD_PARAM:   vmcid: 0x0  minor code: 0  completed: No
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
  at java.lang.reflect.Constructor.newInstance(Unknown Source)
  at java.lang.Class.newInstance0(Unknown Source)
  at java.lang.Class.newInstance(Unknown Source)
  at com.sun.corba.se.impl.protocol.giopmsgheaders.MessageBase.getSystemException(Unknown Source)
  at com.sun.corba.se.impl.protocol.giopmsgheaders.ReplyMessage_1_2.getSystemException(Unknown Source)
  at com.sun.corba.se.impl.protocol.CorbaMessageMediatorImpl.getSystemExceptionReply(Unknown Source)
  at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.processResponse(Unknown Source)
  at com.sun.corba.se.impl.protocol.CorbaClientRequestDispatcherImpl.marshalingComplete(Unknown Source)
  at com.sun.corba.se.impl.protocol.CorbaClientDelegateImpl.invoke(Unknown Source)
  at org.omg.CORBA.portable.ObjectImpl._invoke(Unknown Source)
  at com.sun.org.omg.SendingContext._CodeBaseStub.meta(Unknown Source)
  at com.sun.corba.se.impl.encoding.CachedCodeBase.meta(Unknown Source)
  at com.sun.corba.se.impl.io.IIOPInputStream.getOrderedDescriptions(Unknown Source)
  at com.sun.corba.se.impl.io.IIOPInputStream.inputObjectUsingFVD(Unknown Source)
  at com.sun.corba.se.impl.io.IIOPInputStream.simpleReadObject(Unknown Source)
  at com.sun.corba.se.impl.io.ValueHandlerImpl.readValueInternal(Unknown Source)
  at com.sun.corba.se.impl.io.ValueHandlerImpl.readValue(Unknown Source)
  at com.sun.corba.se.impl.encoding.CDRInputStream_1_0.read_value(Unknown Source)
  at com.sun.corba.se.impl.encoding.CDRInputStream.read_value(Unknown Source)
  at oracle.iam.identity.rolemgmt.api._RoleManager_ogut7n_RoleManagerRemoteRIntf_Stub.createx(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
  at $Proxy2.createx(Unknown Source)
  at oracle.iam.identity.rolemgmt.api.RoleManagerDelegate.create(Unknown Source)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at Thor.API.Base.SecurityInvocationHandler$1.run(SecurityInvocationHandler.java:68)
  at weblogic.security.subject.SubjectProxy.doAs(SubjectProxy.java:64)
  at weblogic.security.subject.SubjectManager.runAs(SubjectManager.java:262)
  at weblogic.security.Security.runAs(Security.java:48)
  at Thor.API.Security.LoginHandler.weblogicLoginSession.runAs(weblogicLoginSession.java:52)
  at Thor.API.Base.SecurityInvocationHandler.invoke(SecurityInvocationHandler.java:79)
  at $Proxy3.create(Unknown Source)
  at com.idm.role.CreateRole.createRole(CreateRole.java:113)
  at com.idm.role.CreateRole.main(CreateRole.java:167)
  Thanks In Advance

  Hi , I have used OIM 11g  R2.
  Please find below the code we have used,
  package com.idm.role;
  import java.util.HashMap;
  import java.util.HashSet;
  import java.util.Hashtable;
  import java.util.Iterator;
  import java.util.Set;
  import java.util.logging.Logger;
  import javax.security.auth.login.LoginException;
  import oracle.iam.identity.exception.NoSuchRoleException;
  import oracle.iam.identity.exception.RoleAlreadyExistsException;
  import oracle.iam.identity.exception.RoleCreateException;
  import oracle.iam.identity.exception.RoleLookupException;
  import oracle.iam.identity.exception.RoleModifyException;
  import oracle.iam.identity.exception.SearchKeyNotUniqueException;
  import oracle.iam.identity.exception.ValidationFailedException;
  import oracle.iam.identity.rolemgmt.api.RoleManager;
  import oracle.iam.identity.rolemgmt.api.RoleManagerConstants;
  import oracle.iam.identity.rolemgmt.vo.Role;
  import oracle.iam.platform.OIMClient;
  import oracle.iam.platform.authz.exception.AccessDeniedException;
  public class CreateRole {
  private final static Logger LOGGER = Logger.getLogger(CreateRole.class .getName());
  OIMClient oimClient = null;
  public OIMClient connectToOIM() {
    LOGGER.info("In connectToOIM ");
    Hashtable env = new Hashtable();
    env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
      "weblogic.jndi.WLInitialContextFactory");
    env.put(OIMClient.JAVA_NAMING_PROVIDER_URL,
      "t3://V-hydidm1.itig.co.in:14000");
    System.setProperty("java.security.auth.login.config",
      "F:\\Projects\\IDM\\Team\\Env_setup\\OIM_Setup\\designconsole\\config\\authwl.conf");
    System.setProperty("java.security.policy",
      "F:\\Projects\\IDM\\Team\\Env_setup\\OIM_Setup\\designconsole\\config\\xl.policy");
    System.setProperty("OIM.AppServerType", "wls");
    System.setProperty("APPSERVER_TYPE", "wls");
    System.setProperty("weblogic.Name", "oim_server1");
    oimClient = new OIMClient(env);
    try {
     oimClient.login("xelsysadm", "Passw0rd".toCharArray());
    } catch (LoginException e) {
     e.printStackTrace();
    System.out.println("Connected");
    return oimClient;
  public void readRoleMetadata() {
    LOGGER.info("in readRoleMetadata ");
    RoleManager roleManagerService = oimClient
      .getService(RoleManager.class);
    try {
     Role roleVo = roleManagerService.getDetails(
       RoleManagerConstants.ROLE_DISPLAY_NAME, "API Role1", null);
     Set attributeNameSet = roleVo.getAttributeNames();
     Iterator it = attributeNameSet.iterator();
     while (it.hasNext()) {
      System.out.println("Attribute Name :: " + it.next());
     // roleVo.setAttribute("ADentitlements", "Security Admin access");
     String adEntitlements = "" + roleVo.getAttribute("ADentitlements");
     System.out.println("AD Entitlements :: " + adEntitlements);
     System.out.println("DB Entitlements :: " + ""
       + roleVo.getAttribute("DBEntitlements"));
     System.out.println("Unix Entitlements :: " + ""
       + roleVo.getAttribute("UnixWindows"));
     System.out.println("VPN :: " + "" + roleVo.getAttribute("VPN"));
    } catch (SearchKeyNotUniqueException e) {
     e.printStackTrace();
    } catch (NoSuchRoleException e) {
     e.printStackTrace();
    } catch (RoleLookupException e) {
     e.printStackTrace();
    } catch (AccessDeniedException e) {
     e.printStackTrace();
  public void createRole() {
    LOGGER.info(" in Create role ");
    RoleManager roleManagerService = oimClient
      .getService(RoleManager.class);
    HashMap<String, Object> roleCreationAttrMap = new HashMap<String, Object>();
    roleCreationAttrMap.put(RoleManagerConstants.ROLE_NAME, "API Role1");
    roleCreationAttrMap.put(RoleManagerConstants.ROLE_DESCRIPTION,
      "This Role is created using API Role1");
    roleCreationAttrMap.put(RoleManagerConstants.ROLE_DISPLAY_NAME,
      "API Role1");
    roleCreationAttrMap.put("ADentitlements", "API Role1 AD Entitlements");
    roleCreationAttrMap.put("DBEntitlements", "API Role1 DB Entitlements");
    roleCreationAttrMap.put("VPN", "No");
    roleCreationAttrMap.put("UnixWindows", "API Role1 Unix Entitlements");
    Role roleVo = new Role(roleCreationAttrMap);
    try {
     System.out.println(" Before Create role *********************************************");
     roleManagerService.create(roleVo);
     System.out.println("Role Created .. ");
    } catch (ValidationFailedException e) {
     e.printStackTrace();
    } catch (RoleAlreadyExistsException e) {
     e.printStackTrace();
    } catch (RoleCreateException e) {
     e.printStackTrace();
    } catch (AccessDeniedException e) {
     e.printStackTrace();
  public void modifyRole() {
    LOGGER.info(" in modifyRole ");
    RoleManager roleManagerService = oimClient
      .getService(RoleManager.class);
    Role roleVo;
    try {
     roleVo = roleManagerService.getDetails(
       RoleManagerConstants.ROLE_DISPLAY_NAME, "API Role1", null);
     String roleKey = roleVo.getEntityId();
     HashMap<String, Object> roleCreationAttrMap = new HashMap<String, Object>();
     roleCreationAttrMap.put("ADentitlements",
       "Updated API Role1 AD Entitlements");
     Set roleKeySet = new HashSet<String>();
     roleKeySet.add(roleKey);
     Role roleVoNew = new Role(roleCreationAttrMap);
     roleManagerService.modify(roleKeySet, roleVoNew);
     System.out.println("Role Modified ..");
    } catch (SearchKeyNotUniqueException e) {
     e.printStackTrace();
    } catch (NoSuchRoleException e) {
     e.printStackTrace();
    } catch (RoleLookupException e) {
     e.printStackTrace();
    } catch (AccessDeniedException e) {
     e.printStackTrace();
    } catch (ValidationFailedException e) {
     e.printStackTrace();
    } catch (RoleModifyException e) {
     e.printStackTrace();
  public static void main(String args[]) {
    CreateRole miscObj = new CreateRole();
    miscObj.connectToOIM();
    miscObj.createRole();
    //miscObj.readRoleMetadata();
  Thanks In Advance .

• OIM 11g-configure SoD so that it works for direct provisioning of the roles

  Dear All,
  page 23-3 of Developer's Guide (OIM 11g) provides information regarding configuration of the SoD for Direct provisioning of the resources. How to configure SoD so that it works for direct provisioning of the roles?
  Thank you for your time
  Maria

  Rajiv,
  I did not find the documentation regarding this. But I hoped I will.
  In my project we assign roles directlly, not resources.
  I suspect the integration with Role Manager is required in this case. SoD module in OIA should be used then.
  Maria

• API of Resource object managment - OIM 11g R2

  Hi All,
  I want to provision a resource (say 'AD User') from a post event handler (OIM 11g R2) during user creation.
  Please tell me the API to be used.
  In OIM 10g, we can use 'tcObjectOperationsIntf' interface to operate on resource objects. what API is its replace in OIM 11g R2?
  Thanks in Advance.

  Create a role and add a rule membership to that role using your custom attribute.
  Create an access policy to provision AD resource and use the role created above while creating access policy. There will be a schedule task with the name "Evaluate user access policies". Change its schedule to run for every 1 minute.
  Now, create a user who satisfies the above role membership and make sure this user got the role membership. Immediately after a minute, this new user should be provisioned to AD resource automatically.

• Weblogic Managed server not starting after installing OIM 11g

  Hi All,
  I have installed OIM 11g successfully and I am able to start the WL Admin Server. But when I try to start the Managed Server for OIM (oim_server1), the screen just disappears and do not generate any logs.
  I haven't used the WL JDK while installing, used seperate JDK. Does it create any problem in starting the managed Server.
  Please help in solving this..
  Thanks,
  anag

  Hi,
  How are you starting the managed server, is it like this?
  xlStartManagedServer.cmd oim_server1 <URL of admin server>
  ~ Ketan

• Regarding Authorization policy and Roles in OIM 11g

  Hi,
  In OIM 11g Admin interface, is there a way to find out what all authorization polices, a role has been assigned to ?.
  I am asking this because, if you search for a user, you will know what all roles he is a member of, and similarly if you search for a role, you will know who all users are members of that role.
  Similarly, if you search for a Authorization policy, you will know what are roles are assigned to this policy. But if I search for a role, I am not able to find what all authorization policies has been assigned to this role.
  Looking forward to hearing from you,
  Many thanks in advance

  I understand your concern. But, this feature has not been available
  --nayan                                                                                                                                                                                   

• Manage OIM 11g System Properties via API

  Can someone please help me understand how to use the OIM 11g API to manage OIM System Properties. In the prior version I was able to use the tcPropertyOperationsIntf class, but it looks like this now only supports reading the attributes, but I need the ability to update and delete properties from the API.
  What is the proper API to use to implement this in an EventHandler class that extends tcBaseEvent?
  Thanks!

  Hey,
  Sorry to revive this pretty old thread, but it's still unanswered and I would be interested in having the answer to this question...
  Thanks,
  --jtellier