Rule in OIM

Similar Messages

• References for developing Reconciliation Rules for OIM 11GR1

  Good Day!
  Hi Folks!
  I would like to ask if you can share some references or any documents which tackles on the development or creation of reconciliation rules for OIM 11GR1. Currently, we are trying to pull users from a SAP system and provision them to MS AD. Currently, we want to develop reconciliation rules such that we can avoid doing manual ad-hoc link.
  Aside from the documentation guide, are there any other references there available in helping us to develop recon rules from a simple definition and from there maybe we can pick it up to define a complex one?
  All answers are appreciated.
  Thanks in advance!
  Regards,
  Jeff

  reconciliation rule support very limited operator. find the below link
  http://docs.oracle.com/cd/E11223_01/doc.910/e11217/cnnctrcmpnts.htm#CEGJHBDC

• Reconciliation Rules in OIM 9.1

  Hi,
  I need your input in the below mentioned problem.Lets assume we call the field UserLogin in OIM and UserID in Target System ( Target Systems are Exchange and Active Directory).
  A Sample UserLogin is A123456 and a sample UserID is 8123456 Both of these are fields are 7 characters long.
  In the Reconciliation rule, we can compare last 6 characters of both UserLogin (OIM) and UserID (AD) by using endswith function and transforming by using substring function in Recon Rules of the Design Console, but the difficulty is with second part of the rule is, If the above condition evaluates to true,we want to add one more recon rule, which should check whether UserLogin (OIM) field in starts with number say 8.
  can you please let us know, how and what is the efficient/best way of writing this recon rule.
  Thanks for your help in Advance
  Regards

  http://download.oracle.com/docs/cd/E21764_01/doc.1111/e14309/resmgt.htm#CHDDJCAH
  Check : Reconciliation Fields Tab section

• Nesting of Rules for Auto Group (Role) Membership Rules in OIM 11gR2

  Does anyone know how to nest rules for auto group (role) membership in OIM 11gR2. The General rules in Design Console are no longer used for auto group membership and the rules that can be configured in the Role properties cannot be nested as far as I can see.
  Any info is appreciated.
  Thanks!

  My mistake... this is possible in the web ui.

• Membership Rule in OIM

  i want to create a membership rule that would encapsulate my business logic but not auto-assign a role to a user. basically, looking to execute the rule via the OIM apis and have it provide back a boolean response.
  is this possible?
  thanks

  Don't think so, why not have the business logic put into the java client itself. There are multiple ways there to make it generic and configurable at java end. If you are on 11g then probably try using the Business Rules feature of BPM which comes shipped with BPEL in 11G. You can have java clients for Oracle Business Rules and that would plug into OIMs framework too.
  -Bikash

• Custom Rules in OIM

  Hi All,
  I have a requirement that wen a new user is created in OIM, Need to check if user's email value ends with @***.com and if yes then I need to add a role for the user. My question is can we have this condition through rule designer? Can we achieve it in any other way without using event handlers? I am using OIM 11.1.1.5.0 BP05 version.
  Thanks,
  Rajesh

  You can write custom schedule task that scan all user email address if USR CREATED is current date then, apply your logic
  - Chellappan S
  Edited by: Chellappan S on May 7, 2013 12:15 PM

• OIM 9.1.0.1 Approval Workflow Selection

  Hello,
  I need some help on how to configure process determination rules for OIM 9.1.0.1
  I have an object form and two approval processes (one requires only one approval and the second one requires two approvals). I would like to be able to decide at runtime which approval process should be triggered using process determination rules based on the object form data.
  I have created two process determination rules as follows:
  Rule1:
  Type: Process Determination
  Sub-Type: Approval
  Object: Resource Name
  Process: Approval Process 1 Name
  Rule: Field Name from object form equals true
  Rule2:
  Type: Process Determination
  Sub-Type: Approval
  Object: Resource Name
  Process: Approval Process 2 Name
  Rule: Field Name from object form equals false
  The problem I have is that OIM seems to be ignoring these rules. I think it might be related to the fact that I am unable to leave both approvals processes with the field "Default Process" unchecked. If I try to uncheck it and save, it gets checked again.
  I feel I am missing something here and I can not find any documentation on how to configure process determination rules, neither in the official documentation nor in Metalink.
  Any hints would be appreciated.
  Thanks

  I am unable to leave both approvals processes with the field "Default Process" uncheckedYou won't be able to do so. Atleast one process must be Default Process
  Just try to create rule based on User Defintion attribute instead of form and let us know the results.

• Error in auto role assignment based on membership rule

  Hi All,
  Now this is a strange behavior I am finding. I had created an auto-membership rule in OIM and had assigned that to a role in my OIM. Now whenever I created an user, and based on a custom attribute that I was setting in the create user page. Now this was working totally fine. After that I did LDAP Sync and all and I am sure it was working even then. Now suddenly the auto assignment of role has stopped working and the user doesn't seem to get the role automatically at all.
  And more strange is the point that when I modify any attribute in the user profile, the membership rule gets triggered just like it should during the user creation.
  Can someone suggest anything for this if they have faced the same?
  Thanks,
  $id

  I had been struggling with Role membership and access policies myself on 11.1.1.5.2.
  Look at the following articles if those help:
  Auto Role Membership Not Getting Evaluated On Create Event With Custom Post-Proccess Event Handler [ID 1469286.1]
  Role Memberships Given, But Access Policies Not Triggered For Enabled Users [ID 1473348.1]
  As for the limited release 11.1.1.5.2AK patch, it changes the way event handlers are triggered and the way access policy is re-evaluated. Also in that patch Oracle has given out new API for getting the service in event handler and that is supposed to bring order and synchronization of the event handlers. As far as confirmation from support goes, the event handlers are same from B2 to B3 and B4. Oracle is waiting to hear from customers about the results of the 11.1.1.5.2AK patch before it would be made available in GA.
  -Bikash
  Ref: {thread:id=2421106}

• When Role is assigned to User through membership rule then it's membership is not added to OID ?

  Hi All,
        I have OIM 11gR2 installed with  LDAPSync enabled.
  When tried to assign Role to User through membership rule, Role is successfully assigned to User in OIM, but it is not added in OID.
  Role membership is added in OID when User requests Role through Catalog search. Also, Role membership is added in OID after running job 'LDAPSync Post Enable Provision Role Memberships to LDAP '.
  How can I add Role membership in OID  as soon as Role is assigned to User  through membership rule in OIM ?

  Hi
  It sounds like you have not selected anything on the Presentation & Data tab of the Workspace Startpoint/User Service.
  You need to specify:
  Your Asset (the form you want to present to the user)
  An associated Action Profile (tells the server how you want the form rendered...typically it is set to Default which uses the Render PDF Form process)
  The variable to hold your data(typically an xml variable)
  Make sure these are set.
  Diana

• User Mmbrship Rules

  Hi All,
  While Creating User Mmbrship Rules in OIM 11g R2 , I can't see my custom UDF.
  Thanks

  Yeah i have published the sandbox and added UDF on user profile , but still not able to see UDF while creating group membesp rule

• "OIM Database Application Connector" is Recon the same user many times!

  Hey,
  I am facing an interesting issue that my OIM Database Application Connector is reconning (Creating) the same user many times.
  I have created/configured the "OIM DB Application Connector" which should Recon the new user in to OIM when ever new user created in the database via portal. I scheduled the connector every 15 min. The connector is working as expected and creating new OIM user if any new user has created in the DB table.
  Issue here is: I have created one user in the table which has reconed to OIM and I can see the entry in design console Recon Manager table. After 15 min when connecotr is run it is picking up the same user. So it is picking the same user every time it runs!!!. It stops picking the user after some time, but dont have exact time when it stop picking the user. But I could see min 25+ times same user and all the time the status is EVENT LINKED. Any idea please why it is happening. My matching criteria is Time Stamp Attribute: "Updated_By_Sysate" & Unique Attribute = "User_ID".
  My Env:
  OIM Version: 9101
  Server : Weblogic
  DB : SQL Server 2005 (Source DB)
  Any idea please?
  thanks
  kln

  1) Yes, you should add in your resource object all fields that are defined in xel_data_source parameters of config.xml file.
  2) Correct. You have to create a user defined field in your form designer and map it to a column in your process definition (reconciliation field mapping tab).
  3) Reconciliation rule is the rule that OIM use to link Database users and OIM users. You need to create a recon rule using an attribute who has the same value in both systems. Also, you need to define this rule in your config.xml file (see how to configure reconcile tasks in connector documentation). So, this attribute used in your recon rule must be required because it will be used to create or link users. You can define any other fields as required, but if one of these required fields are not filled, you will receive a "Required Data Missing" error in your reconciliation manager event.
  4) Reconciliation is used to update OIM with changes made directly in your database table. To update your database table based on OIM changes, you must modify an user attribute in your UD_DBAPP user's form.
  Regards.

• Reconciliation rules

  Hi all,
  I'm new to OIM and need your help with 2 requirements :
  1- We need to reconcile a list of users from a flat file to OIM but we don't want the newly created users to be provisioned to any resources. I was thinking to prevent provisioning using an access policy that will match all users . Is this the right approach? By the way, is it possible to delete an existing access policy?
  2- After reconciliation from the flat file is completed, we need to match the AD accounts to the reconciled accounts. The reconciliation rule is OIM login matches the username portion of AD mail attribute. How can we accomplish this?
  Thank you for your time

  I didn't say this, I am just removing the access policies from previous group and attach that access policy with any Dummy Group if you don wanna use Access Policy at all ?It would take very long time to go through all 200 groups and remove the access policies from them. I will have to rebuild all groups with new membership rules this is why I thought deleting all groups and membership rules will prevent provisioning. Would that be OK?
  Yes I agree with your point but your requirement is something special. You can go for Transformation Class. But before that explain your use case with some example, we may suggest something different.We need to use target resource reconciliation from AD to the newly created accounts that are reconciled from flat file. The user id in the flat file doesn't match AD attributes cn or sAMAccountName.
  For example,
  flat file userid: stewiegriffin
  AD cn: stewieg
  AD sAMAccountName: stewiegr
  AD mail: [email protected]
  so we need to match flat file userid (OIM login) with the username portion of the mail attribute
  Is creating a transformation class the best way?

• PeopleSoft ER unable to recon from Flat File

  I am trying to do a Flat File recon, I am able to create user using "create user" in reconciliation manager. But I am not able to update any user.
  My logs has this error
  RROR [ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)' XELLERATE.SERVER - Class/Method: tcUSR/verifyUserLogin Error :User Loginid is duplicate.
  ERROR [ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)' XELLERATE.SERVER - Class/Method: tcUSR/eventPreInsert Error :User login is not correct.
  ERROR [ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)' XELLERATE.SERVER - Class/Method: tcDataObj/save Error :Wrong SQL operation for save
  ERROR [ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)' XELLERATE.DATABASE - Class/Method: tcDataBase/rollbackTransaction encounter some problems: Rollback Executed From
  java.lang.Exception: Rollback Executed From
       at com.thortech.xl.dataaccess.tcDataBase.rollbackTransaction(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.rollback(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.doRollback(Unknown Source)
       at com.thortech.xl.dataobj.tcDataObj.save(Unknown Source)
       at com.thortech.xl.dataobj.tcTableDataObj.save(Unknown Source)
       at com.thortech.xl.dataobj.tcRCE.createUserRecord(Unknown Source)
       at com.thortech.xl.ejb.databeansimpl.tcRCEBean.createUserRecord(Unknown Source)
       at com.thortech.xl.ejb.beans.tcRCE_4tknfu_EOImpl.createUserRecord(tcRCE_4tknfu_EOImpl.java:547)
       at com.thortech.xl.ejb.beans.tcRCE_4tknfu_EOImpl_WLSkel.invoke(Unknown Source)
       at weblogic.rmi.internal.activation.ActivatableServerRef.invoke(ActivatableServerRef.java:85)
       at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:477)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
       at weblogic.security.service.SecurityManager.runAs(Unknown Source)
       at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:473)
       at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

  Those are the 'Reconciliation ACTION Rules', not the the 'Reconciliation Rules'. Yes, it is confusing, I agree.
  A reconciliation rule tells OIM HOW to match users. You can set up one in 'Design Console' --> Development Tools --> Reconciliation Rules

• OIM 9.1.02 Reconciliation Rule Priorities

  Hi All,
  Is there a way to set priorities on the reconcilation matching rules?
  e.g..
  If Rule 1 and Rule 2 match to users i'd like to make OIM use Rule 1 without manual intervention.
  Thanks,
  Sg

  You are correct. If you pre-populate, it will be the requester. The requester would need to manually populate the field during the request with the requestee information. And there is only one form available. You can however, after submission of the request, get the request data, parse the Consolidated Request Data to determine the id's in the request field, and then return appropriate responses to trigger the tasks needed. This will still be a problem in the long run because you can't change the requestee information for each approval task. You're pretty much out of luck on this one.
  -Kevin

• How to populate OIM Rules automatically ?

  Hello experts,
  We have a requirement to populate set of values from a flat file to OIM Rule in 11g. Is there any API to do that operation ?
  Consider flat file has some 100 records of "jobCode" as follows
  123
  456
  789
  We need to create a single OIM rule called "Rule for X" which should have following OR conditions
  jobCode == 123
  jobCode == 456
  jobCode == 789
  jobCode == .....
  jobCode == .....
  Your input at the earliest would be helpful.
  Thanks in advance

  In my 5+ years of working with OIM, never have we decided to use APIs to create rules, or access policies. These should be defined items within your system, and not generated on the fly. Each policy will need the appropriate test cases in place to your functionality all works, so it's not like you would be created a new policy without ever testing it.
  What we have done is created XML templates during our development process that we knew would be duplicated, so we had a script that would generate a new xml file with the new information provided. You need to look at what pieces are common across your policies and create your templates around these. Then provide the input for the others. For example, if you know you have multiple child table entries in your policy, you need to make sure you generate the section of the XML file for each new entry. You will probably need different templates for different objects because they will have different field names within your xml file for the process form they are tied to.
  Another option, within 11g, is to use the connector lifecycle functionality and define a new xml file as a connector, and then test using the clone piece to generate a new xml with new objects in it. I've never tried this for access policies, but it works for resource workflows.
  You're going to have to be creating and think about what solution works best for you. You'll need to play around with the code and figure out which one you can do and manage.
  -Kevin