Roles in IDM,,,

Similar Messages

• SAP Technical roles and IDM Business roles mapping

  Hi Guys
  Just wondering if there is an easy way to export SAP Positions and create them automatically as Business Roles in IDM and the SAP technical roles that are related to that corresponding position into privledges assigned to that Business Role. Or am I going about this the wrong way? What do you normally do in terms of getting all your sap technical roles from the sap system and assigning them to business roles in IDM. Any help on this is much appreciated?
  Cheers
  Leo

  Thanks Matt,
  I think get I the picture now
  One thing that I am still not sure about is how the sap abap technical roles or profiles are provisioned through workflow
  Here is what Ive done so far
  1. HCM data loaded into productive identity store via vds
  2. Did an initial load of the abap system into the productive identity store (now the technical roles and profiles are loaded as privileges in the idstore)
  3. Through workflow I select a user that already has an abap account and assign that user some additional sap technical roles, for e.g. sap_all and sap_new. The corresponding privileges for these roles are namely PRIV:PROFILE:ECX:SAP_ALL and PRIV:PROFILE:ECX:SAP_NEW .
  4. For the provisioning to occur so that these new privileges are reflected in the ABAP system for this user, I have used the setABAPRole&ProfileForUser task from sap provisioning framework folder and set it as the add/mod/del  event task for the MXREF_MX_PRIVILEGE attribute. That way whenever a privilege is added to a user account the setABAPRole&ProfileForUser task will run and the sap_all and sap_new profiles will be added in the backend. This way I can avoid setting a provisioning task for each abap privilege that gets loaded.
  But it should be obvious now that there is a flaw with this kind of setup, because all non abap privileges that get added or removed will trigger the setABAPRole&ProfileForUser task anyway because the privileges use the same attribute i.e.MXREF_MX_PRIVILEGE. So it brings me to the question how do you provision abap technical roles or profiles through workflow without setting a provisioning task for each abap related privilege.
  Thanks again for all your help!
  Leo

• Issue while changing validity date for assigned roles: SAP IDM 7.2 SP8

  Hello Experts
  I assigned the Task on repository for validity modification for Roles as in below screenshot:
  When I modify the role validity, Task defined for Validity modification doesnt get triggered and IDM executes the tasks defined as Modify Task and fails with below errors:
  1. Could not obtain repository name from Pending object.
  2. Error ! Audit id , Variable doesnt exist in MXPT_GET_ENTRYTYPE.
  I tried checking provisioning audit logs but could'nt find any Audit ID created for validity modification and I guess due to this tasks are getting cancelled.
  Why the task defined in Modify Valdity tasks doesnt get triggered when I modify the Role assignment validity ?
  Am I doing anything wrong with the SAP Standard way of working ?
  Regards
  Deepak Gupta

  Hi Deepak/Chris,
  We are also facing a similar issue in our project where modifying validity of the role does not trigger any task. We then changed the Modify attribute(in task tab) on the priveleges to "inhereted".
  The modify task is now triggered and completes successfully. However, no changes occur in backend.
  We need unedrstand where do we maintain the setting to define which attributes(if changed) will trigger an event task in the provisioning framework. the "check attributes modification" task within the provisioning framework executes the below query:
  select COUNT(VarName) from mxpv_audit_variables where AuditID=%AUDITID% and VarValue='%MSKEY%' and VarName='MARK_EXEC_MODIFY_ATTR%MSKEY%'
  The query gives the result as "False" in case we only modify the validity of the role assigned to user. Thus no event tasks are executed for the same.
  Can anyone please share where do we define the attributes for this query to give "True" as result for role validity modification.
  regards,
  Nits

• Problems with roles in IDM 8?

  I'm running a brand new install of IDM 8 on JBoss 4.2.2 GA, all steps are performed as configurator.
  I create a new user.
  I create a Business Role with a Required IT Role.
  I assign the business Role to the user, both the Business Role and the IT Role stands as Pending Save.
  I click Save. Both roles are in the Changes list.
  But when I select the user and select roles, Only the Business role is assigned - The IT Role is still Pending Save. And the business role is listed as an IT Role.
  Clicking Save again shows that roleInfos only contains the Business role. Save again shows the same changes as when first assigning the role. But the user still doesn't have the IT Role.
  Has anyone seen this behavior?
  Or even better: Can anyone give me a hint how to fix this problem?
  Best regards
  Stefan

  Version 8.0 Patch 1 -- http://sunsolve.sun.com/show.do?target=patches/zp-NetworkInternet#identitymanager
  Fixed a problem that caused Identity Manager running on JDK 1.6 to fail to assign roles assigned to a Business Role. A symptom of the problem included Identity Manager identifying a Business Role as an IT Role after the Business Role was assigned. This problem was limited to JDK 1.6. (ID-19086)

• Synchronize SAP Roles with IDM Roles

  Hi, i have a question concerning SAP integration in IDM.
  Is it possible to import the Roles from SAP (named Activity groups) in IDM? And how does the "synchronize identity system roles with resource roles" function work?
  Thanks in advance!
  gojo

  The job synchronizes FND Users with the Workflow directory service (plus any other systems you specify). PER is a special case, and will only be synchronized with the Workflow directory service if they are associated with a user - otherwise the records are not included. If they have corresponding HZ_PARTY records, then these may be synchronized, but should not really be used for notifications, since there is no login mechanism for the users to view the notification sent to a party record.
  HTH,
  Matt
  WorkflowFAQ.com - the ONLY independent resource for Oracle Workflow development
  Alpha review chapters from my book "Developing With Oracle Workflow" are available via my website http://www.workflowfaq.com
  Have you read the blog at http://thoughts.workflowfaq.com ?
  WorkflowFAQ support forum: http://forum.workflowfaq.com

• Query timedout expired error while removing PRIV from a Role in IDM

  I am trying to remove a PRIV from a role and i am getting Query timeour error.
  I tried removing this PRIV from workflow and there it takes some time to process and then i get a promt of error which is staying for a sec and then i get to home page.
  I also tried removing this PRIV from Identity center and there I get error window like this:
  Method: Save Identity Store Privilege
  Source: Microsoft SQL Native Client
  Error: 80040E31h (-2147217871)
  Description: Query timedout expired.
  this is the error i am getting when i try.
  This is very critical role assigned to many users.
  Please check this and let me know if you need any more information to understand and give a solution.
  FYI: I am on SAP Netwearver 7.0 version.
  This role is assigned to almost 1150 users in the system.
  Since, I dint see anyone giving answer for this, may be this helps to analyse the solution for this.
  Edited by: ARUN KUMAR AKUTHOTA on Apr 28, 2010 3:33 PM

  Dear Sabita,
  Any update if this has been fixed in SP13 or SP14. We are planning to upgrade to SP13.
  We are unable to do even provisioning in multiple systems. Only in 1 system role is getting provisioned and other system its not happening. Same situation for removal of roles also.
  Also, we have not upgraded the ABAP patches in A2D system to synch with GRC SP9, whereas in R1D the patches are in synch with GRC SP9. But the issue is happening with R1D system (patches are in Synch) and not in A2D system.
  Thanks and Best Regards,
  Srihari.K

• AD LDAP for Authentication but ABAP or IDM for Role Assignments

  Hi Portal Gurus,
  Is it possible to configure the UME in such as way so that it connects to the AD for authentication purposes but uses the CUA or SAP Identity Manager for role assignments?
  Thanks,
  Vibhu

  Hi,
  Thanks for the suggestion. But ours was a different problem.
  The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
  During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
  Best regards,
  Ashok

• Role assignments not set in ABAP but IdM indicates OK status

  Hi,
  We went live with IDM 7.2 SP8 last month. We have started to see issues with Business Role assignments in target systems. Generally, BR assignments are parsed to respective privileges and assigned correctly. Sometimes privileges in one target will get assigned but not in another target. Occassionally assigning privileges to one target does not get through either. In all cases the IdM assignment is marked as 'OK', but when we check the backend the assignment is not there. Log entries don't show any jobs triggered for the target that failed to update (and consequently there is no log entries in that target either). But why would IdM mark the specific privilege as 'OK' status -- it should either remain 'Pending' or 'Failed' but certainly not 'OK'.
  This effect is inconsistent -- it works correctly at times and fails at others -- increasingly more failures. There is nothing different about the users or environment. We see this in ECC, BW, GTS, etc. We have 36 prd and non-prd systems linked systems. Initially we thought this only affected prd systems as BR's only have prd privileges and the PRD targets are load-balanced. For non-prd systems the assignments are direct privileges, not BRs, and they are not load-balaced. We are now seeing this in behavior in all environments for BR's or direct privilege assignments, in prd and non-prd targets.
  Since BR's have appovers we cannot remove BR's and re-assign in production. So for non-prd targets we have removed the privileges, those that indicated 'OK' but did not get set in the target, and reapplied -- the privileges get deleted successfully without any corresponding job being triggered and then when we re-add it the assignment goes into 'OK' status without any job being triggered.
  When we tried assigning another user the same privileges it went through fine to the target and IDM marked 'OK' -- exactly as it is supposed to work (non-prod privileges have no approvals).
  We are not able to re-produce this in our DEV environment -- the targets are non-load balanced. The assignments work consistently, both BR's and privileges.
  Has anyone seen such behavior by IdM?
  Thanks for your thoughts.
  Ashok

  Hi,
  Thanks for the suggestion. But ours was a different problem.
  The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
  During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
  Best regards,
  Ashok

• SAP IDM 7.1 Role assignment issue

  Hello IDM Experts,
  I am facing one critical issue here. We have connected SAP GRC with SAP IDM for risk analysis and CUP approvals and then once the approvers have approved the requests, IDM assigns these approved roles to users in backend SAP Systems.
  We are now facing issue here past 1-month. Before we never faced this issue.
  The issue is when the Roles are approved from GRC-CUP AC 5.3, post the approvals, the IDM is pulling the data and some of the roles are not getting assigned in SAP Backend systems. In the 1st and 2nd attempt it is not getting assigned however sometimes in the 3rd attempt it is getting assigned. This kind of weird behavior we have come across first time.  Has anyone come across such issues before?
  What could be the possible reason for the roles not getting assigned in SAP Backend system from IDM?
  We checked everything right from dispatchers, connectors, workflow, SQL Logs, Job logs but we are unable to figure out the reason for this issue.
  Do we need to restart the dispatcher or is there any issue with cache memory? 
  Can anyone help here to resolve this High Priority issue?
  Thanks in advance!

  IDM Experts,
  Can I get response on this topic from the experts?
  Will restarting the dispatchers help in this situation? Is this related to housekeeping issue of dispatcher.
  Why are some roles from IDM are not getting assigned in SAP Backend system? Also it is getting rejected 1st and 2nd time and during 3rd time it is getting approved. Please advise
  Regards
  Malini Rao

• Idm-Vaau Rbac role creations and mapping

  Hi All,
  I'm working on the integration between Idm and Vaau's Rbacx (role based access control) tool for role creation and provisioning...I've imported the spml.xml and SPMLGetObjectsform.xml into Idm for the SPML calls between Rbacx and Idm.
  The challenge I'm facing is mapping the attributes of Rbacx roles to enable the attributes to be populated in Idm...I'm able to export roles into Idm, but they are not populating with any attributes eg. resource type, resource attribute etc. I'm uncertain as to where I have to map these properties and do any customization for this to work. I would appreciate if anyone who has worked on this or know how to do this, to pls give me some pointers/share your experience. I don't have any documentation to refer to and am doing everything on trial and error basis.
  Any help is greatly appreciated!
  Thank you.

  Hi newbie,
  Were you able to solve this issue? I am facing the same problem while assigning resource attributes for a created role using a custom workflow.
  This is where I set the resource attributes in my workflow:
  <Action id='1'>
  <expression>
       <block trace='true'>
       <set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].valueType</s><ref>ADGroupsValueType</ref></set>
       <set><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].requirement</s><ref>ADGroupsRequirement</ref></set>
       <append><ref>role</ref><s>assignedResources[AD].attributes[AD Groups].value</s><ref>ADGroupsValue</ref></append>
       </block>
  </expression>
  </Action>
  where <ref>ADGroupsValue</ref> contains the attribute value.
  thanks,
  Lokesh

• Error while assigning roles to java users

  Hi Experts,
  I am trying to create a user on a Java system ( databse not LDAP) and assign a role. I am able to create a user successfully but it fails with following error;
  Pass: SetJavaRole&GroupForUser.
  Error putNextEntry failed storingtestidm123
  Exception from Add operation:com.sap.idm.ic.ToPassException: No such objectclass defined
  Exception from Modify operation:com.sap.idm.ic.ToPassException: SPML exception: No valid id to modify defined
  ACCOUNTD1U testidm123
  MXREF_MX_PRIVILEGE 316
  MX_ENTRYTYPE MX_PERSON
  DISPLAYNAME test user
  MX_LASTNAME idm
  MX_FIRSTNAME test
  ACCOUNTD1E testidm123%
  TEMPACCOUNTD1E testidm123
  MSKEY 6179
  MSKEYVALUE testidm123
  The pass reads as follows;
  SPMLID : %MSKEYVALUE%
  assignedrole : PRIV:ROLE:SID:idm.authenticated
  Regards,
  Shailesh
  Edited by: Shailesh Deshpande on May 3, 2011 6:43 PM

  Hi Shailesh,
  Can you please take a look at note 1476301. I hope it helps.
  Thanks,
  Anderson

• Error while provisioning roles (SetABAPRole&ProfileForUser)

  Hi Experts
  While provisioning roles in IDM 7.2, I see this error in the Job logs:
  Failed running function in string "$FUNCTION.sap_abap_getNameOfAssignedPendingPrivileges(mskey!!repname!!role!!true)$$". Marking entry as failed. Exception was: undefined: "sap_abap_convertToABAPValidFromDate" is not defined.
  I am getting this error only if I provision the existing SAP users. Assigning any role to a new user works fine. Went through both the above mentioned scripts, but don't see any Problem there.
  What am I missing here?
  Best regards
  Annapurna

  Hi Annapurna,
  I was just going through the setup in our landscape and noticed that we have only one script for Assign User Membership to ABAP which is "sap_abap_getNameOfAssignedPendingPrivileges"
  As mentioned by Jai earlier, we have the same script as Jai.
  Can you try by using the below script for "sap_abap_getNameOfAssignedPendingPrivileges" and delete the other two and try to execute?
  Not sure, if this could work, but maybe can give a try.
  Script below:
  ===============================================
  // Main function: sap_abap_getNameOfAssignedPendingPrivileges
  * Returns a list of all privileges with properties {validfrom, validto} of the
  * passed user for the passed repository and the passed privilege type.
  * It contains all already assigned privileges plus/minus the delta of the
  * current pending added and/or removed privileges.
  * Note: Needed by connectors that always send the complete list of privileges
  *       to the backend, e.g. ABAP, BusinessSuite, JAVA
  * @param {Par} Format:
  * MSKEY of user!!repository name!!privilege type<!!includeValidityProperty>
  *              e.g. 172645!!BQQ001!!PROFILE!!TRUE
  * @return {String} List of Privilege (backend) names in format:
  * if includeValidityProperty is defined as true, then
  * {VALIDFROM=<date>!!VALIDTO=<date>}<priv>|{VALIDFROM=<date>!!VALIDTO=<date>}<priv>|{VALIDFROM=<date>!!VALIDTO=<date>}<priv>
  * else
  * <priv>|<priv>|<priv>
  function sap_abap_getNameOfAssignedPendingPrivileges(Par) {
  importClass(java.lang.StringBuffer);
  // enable this flag (tracingEnabled) only for debugging purposes as this will impact the performance
  var tracingEnabled = false;
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: is called with " + Par);
  var parameters = Par.split("!!"); 
  var mskey = parameters[0];
  var repositoryName = parameters[1];
  var privilegeType = parameters[2];
  var addValidityProperty = false;
  if (parameters.length > 3 && parameters[3] != null && parameters[3].toLowerCase() == "true") {
  addValidityProperty = true;
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: mskey: " + mskey);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: repositoryName: " + repositoryName);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: privilegeType: " + privilegeType);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: addValidityProperty: " + addValidityProperty);
  var nolock = "";
  if("%$ddm.databasetype%" == 1) { //MS-SQL
  nolock = "WITH (NOLOCK)";
  if (tracingEnabled) {
  sap_debug_logUserAssignments(mskey);
  * - get only assignments (mcLinkType = 2)
  * - get all assignments of current entry X (mcLinkState = 0, mcExecState = 1 & mcDisabled = 0)
  * - and with assignments in state "pending add" (mcLinkState = 1 & mcExecState = 512 or 513,
  mcDisabled can be 1 e.g. if the user gets reactivated)
  * - assignments with mcExecState 2 (Rejected) and 4 (Failed) are not included. If a failed
  * assignment gets retried, the state changes immediately to pending.
  * - for specfified repository Y
  * - and privilege type Z
  * - add member task must have been running for the privilege (mcAddAudit IS NOT NULL)
  -> no future assignments
  -> no assignments for which an approval will be done but approval task is not yet running
  * - no privileges for which an approval is needed/running
  * mcValidateAddAudit < mcAddAudit <- approval is already done
  * or mcValidateAddAudit IS NULL <- if no approval is necessary
  * - no duplicate privilege names (-> SELECT DISTINCT) in case of contexts
  var sql = "SELECT DISTINCT privilegename.mcMSKEYVALUE, assignment.mcValidFrom, assignment.mcValidTo \
  FROM idmv_value_basic_all repositorynames " + nolock + " \
  INNER JOIN idmv_value_basic_all privilegetype " + nolock + " ON privilegetype.mskey = repositorynames.mskey \
  INNER JOIN idmv_entry_simple privilegename " + nolock + " ON privilegename.mcMSKEY = repositorynames.mskey \
  INNER JOIN mxi_link assignment " + nolock + " ON assignment.mcOtherMskey = repositorynames.mskey \
  WHERE assignment.mcThisMskey = " + mskey + " \
  AND assignment.mcLinkType = 2 \
  AND (\
  (assignment.mcLinkState = 0 AND assignment.mcExecState = 1 AND assignment.mcDisabled = 0) \
  OR (\
  assignment.mcLinkState = 1 AND assignment.mcExecState  IN (512,513) \
  AND ( \
  (assignment.mcAddAudit > assignment.mcValidateAddAudit) \
  OR \
  (assignment.mcAddAudit IS NOT NULL AND assignment.mcValidateAddAudit IS NULL) \
  AND repositorynames.attrname = 'MX_REPOSITORYNAME' AND repositorynames.SearchValue = '" + repositoryName + "' \
  AND privilegetype.attrname = 'MX_PRIVILEGE_TYPE'  AND privilegetype.SearchValue = '" + privilegeType + "'";
  //result looks like privMskeyValue!!privMskeyValue!!privMskeyValue
  var result = uSelect(sql);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: SQL Query:\n" + sql);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Result: " + result);
  var allPrivsStringBuf = new StringBuffer();
  var firstElement = true;
  if (result != null && result != "") {
  var resultArray = result.split("!!");
  for (var i = 0; i < resultArray.length; i++) {
  var columns = resultArray[i];
  var columnArray = columns.split("|");
  //privMskeyValue is like PRIV:<type>:<repository>:<privilegeName>
  var privMskeyValue = columnArray[0];
  var repTemp = privMskeyValue.split(":");
  var repstring = repTemp[0] + ":" + repTemp[1] + ":" + repTemp[2] + ":";
  var privName = uReplaceString(privMskeyValue, repstring, "");
  if (!firstElement) {
  allPrivsStringBuf.append("|");
  if (addValidityProperty) {
  var validfrom = columnArray[1];
  var validto = columnArray[2];
  allPrivsStringBuf.append("{VALIDFROM=");
  allPrivsStringBuf.append(validfrom);
  allPrivsStringBuf.append("!!VALIDTO=");
  allPrivsStringBuf.append(validto);
  allPrivsStringBuf.append("}");
  allPrivsStringBuf.append(privName);
  firstElement = false;
  var allPrivs = String(allPrivsStringBuf); // must be casted explicitly to String
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Calculated privileges for " + Par + " are: " + allPrivs);
  return allPrivs;
  * Prints out all assignments the user has (also all assignments in pending remove state etc.)
  function sap_debug_logUserAssignments(mskey) {
  var columns = "mcUniqueId, mcThisMSKEY, mcOtherMSKEY, mcAttrName, mcThisOcName, mcOtherOcName, mcThisMSKEYVALUE, mcOtherMSKEYVALUE, mcLinkState, mcAssignedDirect, mcAssignedInheritCount, mcExecState, mcExecStateHierarchy, mcChangeNumber, mcGroupGuid, mcLastAudit, mcAddedTime, mcModifyTime, mcValidateAddAudit, mcAddAudit, mcContextMSKEY, mcContextCategory, mcContextStr1, mcContextStr2, mcOrphan, mcSoDViolation, mcNotAllowedFor, mcUnsupportedContextType, mcMissingConditionalContext, mcDisabled, mcRequestID";
  var debugSql = "SELECT " + columns + " FROM idmv_link_ext WHERE mcThisMskey = " + mskey + " ORDER BY mcUniqueId";
  var debugResult = uSelect(debugSql);
  //format output
  debugResult = uReplaceString(debugResult, "!!", "\n");
  debugResult = uReplaceString(debugResult, "\|", "\t");
  columns = uReplaceString(columns, ", ", "\t");
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Debug SQL Query:\n" + debugSql);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Debug Result:\n" + columns + "\n" + debugResult);
  Thanks & Regards,
  V!

• ABAP Role Assignments stored in MSAD

  Hi all,
  unfortunately I have only found contradicting information in relation to the possibility to manage ABAP role assignments using a MS Active Directory.
  We plan to implement a WAS (ABAP) 6.40 SP14, synchronise data between the WAS and the corporate MSAD. While WAS (ABAP) is not capable of MSAD based authentication I suspect it is possible to manage the user/role assignments in MSAD. Am I right in my assumptions (see list below) that the following data entities can/cannot be managed and synchronised/stored with the WAS (ABAP) out of the box?
  WAS ABAP
  1. possible - user master data (e.g. userName, address, etc.)
  2. possible - user/role assignments
  3. not possible - user passwords (however, can be bypassed through SSO based on NTLM)
  Portal UME
  1. possible  - user master data
  2. possible - user password
  3. possible - role/group assignments
  4. possible - group/user assignments
  5. possible - user/group assignments
  6. possible - user/role assignments
  Thanks for the help!!
  Cheers Stefan

  Hi,
  Thanks for the suggestion. But ours was a different problem.
  The issue was with a faulty reconciliation job that had been fixed. But it had done its damage before the fix and this caused the inconsistent behavior.
  During the reconciliation job (to update changed and add new backend roles in IDM) various task trigger attributes get disabled and then re-enabled after the import. These disabled triggers did not get re-enabled for the privileges on some systems. And the reconciliation job was also delta enabled, so only new privileges, after the initial load, should have been impacted. But impact to many privileges -- all privileges of some target systems -- misled our investigation. The timing of the reconciliation job executions kind of added to the confusion and inconsistencies during the initial setup. But we finally tracked this down and wrote a custom job to fix the triggers for only the affected privileges. Assignments to all systems started to function successfully as expected.
  Best regards,
  Ashok

• Roles are not saving in idm6.0

  hi everybody,
  in my create user workflow i am getting the all the details from a form and then creating a view and then setting the idm atributes with the form values and then provisioning .
  my problem is i could not able to set the role in idm.
  my code is :
  <set name='user.waveset.roles'>
  <ref>roles</ref>
  </set>
  where roles is the form field value .
  the allowed values of the field are contractor,manager,employee.
  i select one role in the form and while setting the idm attributes i am assigning the role to the user.waveset.roles.
  but when i checked in the idm interface all the fields like accountid ,firstname,lastname,email and password are set but in the assignment section Role is not assigned .
  please can anybody tell me where i am wrong .
  thanks a lot if anyone can solve this problem

  Hi,
  try to set the role by the following way,
  <set name='userView.waveset.roles'>
  <appendAll>
  <ref>userView.waveset.roles</ref>
  <ref>roles</ref>
  </appendAll>
  </set>
  hope this might help you.
  Regards,
  Ashok

• How to add dynamically a role in a Request Template

  Hi all,
  We have created a job that reads roles from a custom table and creates them in IDM. We have also a request template of type Assign Roles that has all the allowed roles that can be assigned to a user. We have a requirement to add a role from the custom table in the IDM and also add it in allowed roles of the Request Template so that it will be available. Our problem is that we cannot find an API that we can call in order to add the roles in the request template. Does anyone know how we can do this?
  Thanks in advance,
  Kostas

  Did you look at RequestTemplateService? I believe you can use this to modify your template pragmatically. Thus the step would be to read the custom table, create role in IDM and the modify the template pragmatically to add the newly created role in the available role which can be requested.
  http://download.oracle.com/docs/cd/E14571_01/apirefs.1111/e17334/oracle/iam/request/api/RequestTemplateService.html
  HTH,
  BB