Service Account in OIM

Similar Messages

• OIM service accounts

  Hi,
  How can i mark an OIM account as service account. Documents say that service accounts are distinguished by regular accounts by an internal flag. what is that flag? Where will it reflect that an account is a service account?

  Hi,
  I have several OID User instances for an OIM user. Now i have to determine which instance i need to convert to service account and move to another user. For that the deciding attribute is cn, which is there in process form,hence in the table ud_oid_usr. So i am retriveing orc_key such that ud_oid_usr_cn=attributeName(the parameter being passed)...and from this orc_key i am retrieving the value obi_key such that obi.orc_key=ud_oid_usr.orc_key
  but when i print obi_key,orc_key from obi...... orc_key is coming out to be null. why is it so...even if i have several intsnces of oid user
  how can i retreive the value of object intance key, based on an attribute value present in ud_oid_usr table

• How OIM identifies an account as a service account while doing recon

  Hi,
  Can anybody tell me how OIM identifies an account as a service account while doing reconciliation?
  I have the matching criteria for the scheduled task to identify service account. After doing the recon, i want to link with OIM identity showing it as a service account under the resource tab? How can i do this?

  Thank you so much Kevin. I want to check whether the recon insert is of a system account(AD) and if yes, i need to mark the account as system account.
  I could see only the "tcServiceAccountActivate" eventhandler available in the recon insert task. I am working in OIM 11g. Will this event handler be useful in anyway to perform my job? If not, please throw some light on how to achieve this? I am newer to OIM.
  Also i want to know whether OIM identifies Admin Accounts? I have lots of Admin accounts in AD which i need to associate with OIM profile.

• OIM 11g - Error Creating Custom 'Service Account' Field

  Hi experts,
  we would like to create a custom "Service Account" checkbox on a Form Provisioning, in way to enable\disable the 'service account'
  status on a target account.
  We wanto to control the 'Service Account' status through a checkbox into the account form.
  Here our steps:
  - Create a new Field on 'UD_ADUSER' Form, we add a 'Service Account' CheckBox as boolean type with default value = 0.
  - Create a new Adapter 'Service Account':
  ---- into 'Variable List' tab we define 2 variables: ProcessInstance -> Long and ServiceAccountCheckBox -> boolean
  ---- into 'Adapter Task' tab we define an IF(ServiceAccountCheckbox == 1) launch tcUserOperationsIntf.changeToServiceAccount method, with our variable 'ProcessInstance' as Input
  - Create a new task into 'Process Definition', we created 'Service Account Updated'.
  ---- into task tab named 'Integration' we set our custom adapter, mapping Process Data > Process Instance and Process Data > Service Account with adapter variables.
  When we assign an 'AD User' resource to a user, the new checkbox 'Service Account' is showed into the form.
  If we check/uncheck the checkbox the task 'Service Account Updated' is launched, but the response is "*Specified User Account Not Found*"
  I think that the problem is into the adapter..
  Any one can help us?
  Best Regards
  AT

  As I said map user key(usr_key) and process instance key(orc_key) form design console
  and use below query to get oiu_key
  prockey=<PROCESS_INSTANCE_KEY>;
  user_key=<USR_KEY>;
  String sqlquery="select oiu_key from oiu " +
  "where ORC_KEY = prockey " +
  "and usr_key = user_key" ;
  Connection con=Platform.getOperationalDS().getConnection();
  Statement st=con.prepareStatement(query);
  ResultSet rs=st.executeQuery();
  while(rs.next())
  long oiuKey=rs.getLong("oiu_key");
  now pass this key in the method

• Getting Error While accessing Accounts from oim

  Hi All,
  I am getting an exception while accessing user accounts from oim through the jdeveloper(I m giving UserId as input)
  Exception:
  avax.ejb.EJBAccessException: [EJB:010160]Security Violation: User: '<anonymous>' has insufficient permission to access EJB: type=<ejb>, application=oim#11.1.2.0.0, module=iam-ejb.jar, ejb=ProvisioningService, method=getAccountsProvisionedToUserx, methodInterface=Remote, signature={java.lang.String,java.lang.String}.
       at weblogic.ejb.container.internal.MethodDescriptor.checkMethodPermissionsBusiness(MethodDescriptor.java:581)
       at weblogic.ejb.container.internal.BaseRemoteObject.checkMethodPermissions(BaseRemoteObject.java:111)
       at weblogic.ejb.container.internal.BaseRemoteObject.preInvoke(BaseRemoteObject.java:274)
       at weblogic.ejb.container.internal.StatelessRemoteObject.__WL_preInvoke(StatelessRemoteObject.java:41)
       at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:24)
       at oracle.iam.provisioning.api.ProvisioningService_p7m7x_ProvisioningServiceRemoteImpl.getAccountsProvisionedToUserx(Unknown Source)
       at oracle.iam.provisioning.api.ProvisioningService_p7m7x_ProvisioningServiceRemoteImpl_WLSkel.invoke(Unknown Source)
       at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:667)
       at weblogic.rmi.cluster.ClusterableServerRef.invoke(ClusterableServerRef.java:230)
       at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:522)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
       at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:518)
       at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
  Process exited with exit code 0.

  Which user are you using for creating connection with OIM ?
  Which method are you using to create connection with OIM ?
  Re: OIMClient login throwing AuthenticationException execption (FOR R2)

• Service Account Management through Request Templates

  Hi,
  I am trying to implement Service Account lifecycle use cases (Create, Modify, Delete) on 2 resources(AD User, iPlanet User) through Request templates. In this case OOTB tasks - Service Account Alert, Service Account Changed, Service Account Moved with resource specific Process definitions are not get triggered as I am initiating process through Request Templates.
  I want to trigger post process EventHandler upon triggering any of these events. so, I created metadata xml file as the following and imported it into MDS.
  -----------------EventHandler Metadata file------------------------
  <?xml version='1.0' encoding='utf-8'?>
  <eventhandlers>
  <action-handler class="com.wipro.sdf.iam.oim.plugin.ServiceAccountCreationEventHandler" entity-type="Resource" operation="PROVISION" name="ServiceAccountCreateEventHandler" stage="postprocess" order="1021" sync="TRUE"/>
  </eventhandlers>
  ----------------------------XXX----------------------------------------------
  When I trigger create event of SA on any of the resources, the EventHandler is being invoked and from execute() method, Orchestration is giving the following data
  {UD_IPNT_USR_LAST_NAME=TestTwo, BENEFICIARYKEY=798, UD_IPNT_USR_COMMON_NAME=SA Test Two, *ResourceKey*=12, serviceaccount=true, UD_IPNT_USR_SA_ADMIN=USER16TE, UD_IPNT_USR_USERID=SATEST2, UD_IPNT_USR_FIRST_NAME=SAccount}
  My EventHandler has to do some actions on target resource(AD / iPlanet),so I would like to get resource connection details like IP, port , admin login details etc.
  To fetch those details, I am using ResourceKey that is coming from Orchestration.
  When I use the following code to find Resource details based on Key, its throwing resource not found exception.
  -----------------------Code from execute() of EventHandler----------------------
  String resKey = getParamaterValue(parameters, "ResourceKey");
  tcITResourceInstanceOperationsIntf resInsObj = Platform.getService(tcITResourceInstanceOperationsIntf.class);
  //Get Resource Details based on Resource Key
  HashMap searchMap= new HashMap();
  searchMap.put(Constants.IT_RESOURCE_KEY, resKey);
  logger.debug(methodName+" - IT Resouece Search Map is : "+searchMap);
  tcResultSet resultSet = resInsObj.findITResourceInstances(searchMap);
  -------------------------------End of code ------------------------------------------------
  I tried finding for the table which stores all IT Resource connection details. But no luck.
  Now my questions are:
  1. Which table stores all IT Resource Information that can be seen from Design Console -> Resource Management -> IT Resource Type Definition - > Resource?
  2. Which table stores Resource Key and Name details?
  3. When we do query for records from any form in Design Console, where exactly would logs get recorded? (as it queries DB to fetch information there should some file like DB Tracer Log etc)
  Could somebody please answer these questions and give some hint to implement SA management through Req Templates?
  Thank you in advance,
  Mounika

  Hi kevin,
  thanks for reply.
  i am thinking that, Even though OIM11G is developed in ADF,some parts of the code is in struts only,like xlWebApp.war .
  i have seen source code of xlWebApp.war folder that is there in OIM11g.
  it seems to be developed in struts only.
  is there any ADF interaction in that?
  i have written helloworld program in struts,that is working fine.
  i have done that,for ADUser resource popup i added button "serviceaccount for this resource".when i click that one jsp page will come.
  so i am thinking that,some other reason is there for not working.
  can u please tell me the reason?

• Reconciliation: Manually link not matched accounts to OIM users

  Hi all,
  Is it possible to manually link a reconciled account to a OIM user?
  When reconciliation process is finished, in the reconciliation manager there are a few accounts that are not matched (to OIM users). This is beacuse they are "service accounts" or resource "administrative accounts", and the user ID of the reconciled account is not equal to any existing OIM user (xellerate users).
  In that case, we want to manually link those accounts to an administrator (OIM users). So, when listing the resource profile of that user, those accounts are showed as provisioned.
  By now, we are trying to achieve that, only that, not any service account behaviour (that will be the next goal).
  Regards.
  Edited by: user643044 on Feb 3, 2009 9:12 AM

  Thank you.
  We have solved it in the following way:
  1.- RO: create a "dummy" recon field.
  2.- Recon Connector (java code): create a field (uid_to_map), but not added to the hashmap. So, this field is added to the reconciliation event as "unprocessed".
  3.- Create a Recon Rule, to map OIM "User Id" -> RO "dummy"
  4.- Perform reconciliation.
  5.- Edit the reconciliation event. Edit the unprocessed field "uid_to_map", linking it with "dummy" recon field, and introducing the OIM user ID of the OIM user we want to link to.
  6.- Re-apply the matching rule.
  So, the account is linked to the user.
  Maybe it could help somebody who needs the same functionality.

• Service account provisioning

  Hi all,
  I have read in the documentation(Design Client) that OIM connector provides different prvisioning process for Service account (there are alltogether separate tasks for these accounts under process definition) and Normal account for each target resource. Could any one please elaborate me how to process service account provisioning (if there is any difference) as there is no documentation stating underline.

  Hi ,
  I am having the same concern. I want to implement service account management through OIM ,OOB AD connector provides by default tasks to handle service account scenerio. Please provide the suggestion regrding the implementation of service account provisioning, if there is any document related to it, will be quite helpfull.
  Thanks
  Edited by: user8634889 on Sep 15, 2009 11:09 PM

• Service accounts - custom attributes

  Hi,
  We want to manage service accounts for different platforms in OIM. I'm aware that OIM can flag accounts as Service accounts. We have some custom attributes that we want to store in OIM as a part of service accounts. These attributes come from different source other than the reosurce on which the service account exists. So the idea is to use use OIM to store that additional information and act as authorittaive source. This information should not be provisioned to the actual service account on the the target resource. It should reside just on OIM side. Is it possible to do this in OIM? Any information on how to achieve this is highly appreciated.
  Thanks,
  Gattoo

  Hi Gattoo,
  If you are using a custom connector, it is your decision which attributes are sent to target system, which are not.
  Eventually, a service account is represented by a resource object and in the process definition you attach the adapters that creates or updates the target system account.
  If I am not misunderstanding the question, you are able to store additional information in the process form and not to send them to target system.
  Regards,
  Ece

• Service accounts are getting revoked when user/account gets revoked

  Hi,
  Service accounts are getting revoked in oim 11g while revoking the associated user or even revoking the account at resource level which should not happen as mentioned in developers guide.
  It is cancelling all the provisioning tasks. Please let me know what should i need to check for this?

  Kevin,
  I used the changeToServiceAccount API method to change the account type to service. It updates the IsServiceAccount flag as Yes in the UI. But in DB, its showing null value for "UD_ADUSER_SERVICEACCOUNT".
  But i could able to handle the moveServiceAccount API to move it to another user too.
  Please let me know why the value in DB is not getting updated for "UD_ADUSER_SERVICEACCOUNT".
  Is this the attribute to be checked at dblevel or do you mentioned something else?

• How to add a service account in SQL Server to display the "Service Account Name" and "Display Name"

  Can someone
  help with steps on how to add the following in SQL Server 2012 environments?<o:p></o:p>
  "Service Account Name" and "Display Name"<o:p></o:p>
  Your help will be greatly appreciated.<o:p></o:p>
  leonie6214

  Hello,
  Is the following article what you are looking for?
  http://msdn.microsoft.com/en-us/library/ms345578.aspx
  If not, could you explain a little bit more what you want to accomplish?
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• EWS API - Impersonating to update a calendar item created by any other user than a service account, raise an error "Access is denied. Check credentials and try again."

  Hi,
  I am new to using EWS managed APIs.
  Following is the issue:
  1. I am using a service account e.g. [email protected]. This user is a global administrator and also has ApplicationImpersonation role assigned. (Sign into Online Office 365 account -> Admin -> select "Exchange" tab- > select Permissions
  on the left panel -> create an impersonation role -> assign ApplicationImpersonation in Roles: and [email protected] in Members: -> Click on save)
  2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected].
  3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
  I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
          private static void Impersonate(string organizer)
              string impersonatedUserSMTPAddress = organizer;
              ImpersonatedUserId impersonatedUserId =
                  new ImpersonatedUserId(ConnectingIdType.SmtpAddress, impersonatedUserSMTPAddress);
              service.ImpersonatedUserId = impersonatedUserId;
  4. It was working fine till yesterday afternoon. Suddenly, it started throwing an exception "Access is denied. Check credentials and try again." Whenever I try to
  update that event.
         private static void FindAndUpdate(ExchangeService service)
              CalendarView cv = new CalendarView(DateTime.Now, DateTime.Now.AddDays(30));
              cv.MaxItemsReturned = 25;
              try
                  FindItemsResults<Item> masterResults = service.FindItems(WellKnownFolderName.Calendar, cv);
                  foreach (Appointment item in masterResults.Items)
                      if (item is Appointment)
                          Appointment masterItem = item as Appointment;
                          if (!masterRecurEventIDs.Contains(masterItem.ICalUid.ToString()))
                              masterItem.Load();
                              if (!masterItem.Subject.Contains(" (Updated content)"))
                                  //impersonate organizer to update and save for further use
                                  Impersonate(masterItem.Organizer.Address.ToString());
                                  // Update the subject and body
                                  masterItem.Subject = masterItem.Subject + " (Updated content)";
                                  string currentBodyType = masterItem.Body.BodyType.ToString();
                                  masterItem.Body = masterItem.Body.Text + "\nUpdated Body Info:
  xxxxxxxxxxxx";
                                  // This results in an UpdateItem operation call to EWS.
                                  masterItem.Update(ConflictResolutionMode.AutoResolve);
                                  // Send updated notification to organizer of an appointment
                                  CreateAndSendEmail(masterItem.Organizer.Address.ToString(), masterItem.Subject);
                                  masterRecurEventIDs.Add(masterItem.ICalUid.ToString());
                              else
                                  Console.WriteLine("Event is already updated. No need to update again.:\r\n");
                                  Console.WriteLine("Subject: " + masterItem.Subject);
                                  Console.WriteLine("Description: " + masterItem.Body.Text);
              catch (Exception ex)
                  Console.WriteLine("Error: " + ex.Message);
  5. What could be an issue here? Initially I thought may be its a throttling policy which is stopping same user after making certain API call limits for the day, but I am still seeing this issue today.
  Any help is appreciated.
  Thanks

  Your logic doesn't sound correct here eg
  2. Create a calendar item by other user for e.g. [email protected], and invite an attendee - [email protected]
  3. In a c# program, I connect to EWS service using a service account - [email protected], fetch its calendar events. If organizer of an event is some other user - [email protected] then
  I use impersonation in the following way to update the calendar event/item properties- subject, body text etc.
  When your connecting to [email protected] mailbox the only user that can make changes to items within
  abccalendar is abc (or ABC's delegates). If your impersonating the Organizer of the appointment pqr that wouldn't work unless the organizer had rights to abc's calendar. If you want to make updates to a calendar
  appointment like that you should connect to the Organizers mailbox first update the original, send updates and then accept the updates.
  When you impersonate your impersonating the security context of the Mailbox your impersonating so its the same a logging on as that user in OWA or Outlook.
  Cheers
  Glen

• Service accounts for the Workspace Database service permission Error while creating Tabular Mode from PowerPivot

  Hi All,
  Please help me out against this issue. I have spent so much (3 working days) time just figuring out what is the issue and its solution.
  I am learning Tabular Mode and trying to create a mode based on PowerPivot model. I am getting following error message:
  'The PowerPivot workbook could not be imported. The service account for the workspace database server does not have permission to read from the PowerPivot workbook.'
  Here is my infrastructure:
  1. SSAS in Tabular Mode is installed on my Windows 8 Laptop
  2. PowerPivot is also in my laptop
  3. There is only my account (as Admin of course) for SSAS
  Here are my questions:
  1. What is this error and how can I cope with that? A step by step explanation would be highly appreciated :-)
  2. Do I need to change something in Windows settings or in SSAS?
  3. I am confused about my workspace database server as well, Do I have to install SSAS twice; one for development and one for workspace?
   Looking forward for the expert advise.
  Tahir
  Thanks, TA

  Hi,
  I suspect you might have more luck if you try the SSAS forum: http://social.msdn.microsoft.com/Forums/sqlserver/en-US/home?forum=sqlanalysisservices
  Regards
  Jamie
  ObjectStorageHelper<T> – A WinRT utility for Windows 8 |
  http://sqlblog.com/blogs/jamie_thomson/ |
  @jamiet |
  About me

• SQL server agent job running as Agent Service Account whose service account does not have r/w access but is still able to write?

  Hi. I am newer to SQL server security and am reviewing some of our SQL server's configuration to make sure the services are running under accounts with least privilege.  I have a SQL server 2012 instance whose Agent service is configured to run
  under an AD user account named 'SQLServices'.  The jobs on this server are configured to run as 'SQL server agent service account', which means they should execute as user 'SQLServices'.  The jobs are set up to execute SSIS packages which read and
  write to a database on the same server where the agent job is scheduled and SSIS package installed (all on same server).  The jobs are currently executing without error and are reading writing data correctly.  Upon close examination, it turns out the
  SQLServices account is not assigned to the 'sysadmin' role and had no users mapped to any databases on this server.  How are these jobs working?  I verified in profiler that the login name indeed is 'SqlServices'.  I also verified
  that SQLServices login has no database access by remote-ing onto the server and trying to log into the DB, and access was denied as expected.  According to the literature, the Agent service needs to be a member of 'sysadmin role' but I am reading
  some cases where that is not necessarily the case.  So this is not so concerning.  What is concerning is that the login 'SQLServices' had no access to the databases on that server yet it is reading and writing to the databases as if it does. 
  The only thing I can think of is maybe jobs run as 'SQL server agent service account' on the same server as the databases it r/w to somehow has some kind of default access.  What am I missing here?  Any input would be helpful.

  After 2 days on this forum I found the answer to my own question.  In retrospect, I should have posted this under 'SQL Server Security', but I didn't know it existed.
  The 2 threads below explain that Sql agent actually runs using SID (service) NT SERVICE\SQLSERVERAGENT if you chose that when you installed.  This will automatically create an associated login NT SERVICE\SQLSERVERAGENT in SQL server with sqladmin
  role.  This is the login that Agent uses to connect to the local instance of SQL server.  If you changed to domain account to run the service during install or after using config manager, basically NT SERVICE\SQLSERVERAGENT is still
  used to connect to your local instance behind the scenes (even though you will still see your domain user as account), and the domain account is used to reach outside the server. 
  https://social.msdn.microsoft.com/Forums/sqlserver/en-US/9e6bb2de-8fd0-45de-ab02-d59bbe05f72e/servicedatabase-accounts-nt-servicemssqlserver-nt-servicesqlserveragent-what-are-they-for
  https://social.technet.microsoft.com/Forums/sqlserver/en-US/b83a52fd-fe11-4c28-a27b-88be8ae79f2a/how-do-i-change-sql-server-agent-service-account-to-nt-servicesqlserveragent?forum=sqlsecurity

• Error occurred while accessing application id Excel services application unattended service account from secure store service

  Hi,
    I follow up the book "Professional SharePoint 2013 Administration" to build the SharePoint 2013 BI include Excel Services. and created the Secure Store services to save the user SP_Install for member.
  For Now, I can upload the worksheet and open it in browser, but when I tried to refresh it, the SP 2013 show error "Error occurred while accessing application id Excel services application unattended service account from secure store service".
   does anybody can help ? and do I need to turn on C2WTS ? 
  Thanks
  James Liang

  Hi James,
  Excel Services can be used with Secure Store in three primary scenarios:
  Unattended Service Account
  Embedded Connections
  External Data Connections
  If you haven't configure unattended service account yet, you could refer to the article below:
  http://technet.microsoft.com/en-us/library/hh525344(v=office.15).aspx
  More information:
  http://technet.microsoft.com/en-us/library/ff191191(v=office.15).aspx
  Regards,
  Rebecca Tu
  TechNet Community Support