Service accounts - custom attributes
Hi,
We want to manage service accounts for different platforms in OIM. I'm aware that OIM can flag accounts as Service accounts. We have some custom attributes that we want to store in OIM as a part of service accounts. These attributes come from different source other than the reosurce on which the service account exists. So the idea is to use use OIM to store that additional information and act as authorittaive source. This information should not be provisioned to the actual service account on the the target resource. It should reside just on OIM side. Is it possible to do this in OIM? Any information on how to achieve this is highly appreciated.
Thanks,
Gattoo
Hi Gattoo,
If you are using a custom connector, it is your decision which attributes are sent to target system, which are not.
Eventually, a service account is represented by a resource object and in the process definition you attach the adapters that creates or updates the target system account.
If I am not misunderstanding the question, you are able to store additional information in the process form and not to send them to target system.
Regards,
Ece
Similar Messages
-
Custom attributes in Service Registry
Hi!
Is it possible to use custom attributes in Service Registry?
And if Yes, where can these attributes be displayed in Business Service Control or Registry Control?
ThanksHi,
Please see the below link. This might help you.
http://weblogs.sdn.sap.com/cs/blank/view/wlg/20379
http://wiki.sdn.sap.com/wiki/display/BPX/Chapter+3
Thanks and regards,
SNJY -
OIM 11g - Error Creating Custom 'Service Account' Field
Hi experts,
we would like to create a custom "Service Account" checkbox on a Form Provisioning, in way to enable\disable the 'service account'
status on a target account.
We wanto to control the 'Service Account' status through a checkbox into the account form.
Here our steps:
- Create a new Field on 'UD_ADUSER' Form, we add a 'Service Account' CheckBox as boolean type with default value = 0.
- Create a new Adapter 'Service Account':
---- into 'Variable List' tab we define 2 variables: ProcessInstance -> Long and ServiceAccountCheckBox -> boolean
---- into 'Adapter Task' tab we define an IF(ServiceAccountCheckbox == 1) launch tcUserOperationsIntf.changeToServiceAccount method, with our variable 'ProcessInstance' as Input
- Create a new task into 'Process Definition', we created 'Service Account Updated'.
---- into task tab named 'Integration' we set our custom adapter, mapping Process Data > Process Instance and Process Data > Service Account with adapter variables.
When we assign an 'AD User' resource to a user, the new checkbox 'Service Account' is showed into the form.
If we check/uncheck the checkbox the task 'Service Account Updated' is launched, but the response is "*Specified User Account Not Found*"
I think that the problem is into the adapter..
Any one can help us?
Best Regards
ATAs I said map user key(usr_key) and process instance key(orc_key) form design console
and use below query to get oiu_key
prockey=<PROCESS_INSTANCE_KEY>;
user_key=<USR_KEY>;
String sqlquery="select oiu_key from oiu " +
"where ORC_KEY = prockey " +
"and usr_key = user_key" ;
Connection con=Platform.getOperationalDS().getConnection();
Statement st=con.prepareStatement(query);
ResultSet rs=st.executeQuery();
while(rs.next())
long oiuKey=rs.getLong("oiu_key");
now pass this key in the method -
Custom WS Policy with Service account in OSB while invoking a https service
Hi,
I need your help on one of my issue in invoking an https service from OSB. I read through various posting and tried the below steps in this forum
-Added the certificate for the https site to soa domain
-Registered the https webservice as a Business service
-Registerd a proxy service on top of this Business service
-In the service call out on Proxy service I did a replace operation on the entire soap header with the below string
<soapenv:Header xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-4" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>sysuser@yahoo</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">ABIHAIKLPLKLPMLERLER</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
-After doing all the above steps my call out worked from the test console, If you see closely the userid(sysuser@yahoo) and password(ABIHAIKLPLKLPMLERLER) is hard coded here.
I need a way to mask the credentials and have the user pass them when they invoke the proxy service. I read through some posting and it was listed that we can create a custom policy and attach that custom policy to the Business service. But my problem here is the userid has an extra char @, so I wasn't able to create the user account with those credentials in OSB, but I was able to create the userid and password using a service account. Iam not sure how I can use this service account along with the custom policy.
Can you please provide me a suitable approach, which will solve my issue. I appreciate your time and help
Thanks
Jagan.Hi,
Below are the steps followed
- OSB Proxy service has 'oracle/wss_username_token_service_policy' attached to it.
- Iam invoking this from BPEL. BPEL process has 'oracle/wss_username_token_client_policy' attached.
- I can invoke the osb proxy from bpel by passing credentials - No Issues.
Now I need to put some authorization restriction to the proxy service, so only specific users can access that.
-I used Role=Admin as a policy condition restriction under security in Proxy service.
-Then I went to proxy test console and I added the 'oracle/wss_username_token_client_policy' credentials and weblogic/xxxxx at Transport section and I was able to invoke the process. Here weblogic has a Admin Role.
-I cannot invoke the same proxy service from BPEL in Jdeveloper now.
All Iam trying to do is to protect my proxy by authrorization policy.
Thanks
Jagan. -
AD Import using Custom Attributes?
by default when you run AD import in UC, it fetched whole AD domain accounts which contains service accounts and a lot other stuff which one don't want to import.
So choice is to search using a particular Base DN which query only one OU.
But this simple query is not adequate in a organization which has a very complex and large OUs structure, users which needs to be UC enabled are distributed among many separate OUs.
Is there some kind of filters or other method during AD import which can query users from AD based on security group membership or CustomAttributes. The best approach will be CustomAttributes based query, because we already published CustomAttribute15 with values "STAFF","Faculty" and "Students".
The whole purpose which we want to achieve is to exclude STUDENTS category in AD import. Help me friends to achieve this task.Hi
You can edit the LDAP filer used by CCM; with that you could filter on your custom attributes. See this post for a discussion of a similar modification; it's just a matter of putting together a new LDAP filter string to return the results you want.
https://supportforums.cisco.com/message/3042759#3042759
Regards
Aaron
Please rate helpful posts... -
Hide Service Accounts in Outlook Calendar
Hello, we're using the "manager" attribute in AD to associate service accounts with their owner. In Outlook under Calendar this places those service accounts under the "Team: <MANAGER>" group. So in addition to actual
team members under a manager, service accounts are also listed. Is there a way to hide those accounts so they aren't listed?
Thank youI asked which attribute is more appropriate for that task. You did not answer that nor give any answer on how to replicate what manager/directReport is doing.
Additionally, the original question was if it was possible in Exchange to hide certain accounts so that they would not display as being on a team in Calendar. You side stepped that question and said those accounts shouldn't be there to begin with,
not how an account could be hidden or if that's even possible.
Finally, I have yet to argue with you. I've pointed out that your comments came off rude to me. The doctor analogy did not add value nor represent this issue accurately. If that were a real doctor it would show lack of empathy for the patient
and a lack of interest in getting into the root of the problem. The comment on the AD team making a mistake also did not add value or answer either of the two parts to my question. They know what the manager attribute is for, but at the time chose
to not modify the schema with a custom attribute, or perhaps they too do not know how to replicate the manager/directReport behavior. In any case, pointing out that they're wrong, doesn't answer my question or show HOW to use an extension attribute to
achieve this.
You're an MVP, a partner, and a consultant. You should be familiar with the Code of conduct. Please be considerate and respectful: http://social.technet.microsoft.com/wiki/contents/articles/112.wiki-code-of-conduct.aspx
I'll attempt a more targeted question in the Directory Services forum to see if someone can walk me through the steps to get a extension attribute that will be appropriate for storing service owner type data. -
Issue with Sorting by Custom Attributes
In our custom SES query application, I am trying to implement sorting at the custom attribute level. I am having difficulty in understanding exactly how to set the options on doOracleOrganizedSearch() to achieve the desired result.
We have a table based content source and allow a user to search via custom search attribute. We are also going to allow them to sort by custom attribute.
For example, say we have a Project content source and one of the attributes is "Client Name". Users are going to be able to sort by client name (A-Z and Z-A). I have a prototype working but it only seems to work if I set topN to a very high number.
I want to bring back the first 10 documents sorted by Client Name A - Z and allowing paging to the next set of sorted results. My prototype works if I set topN to 1000 (more than the # of results) but does not work if I set it to 10 (# of results I want to display per page).
Below if my code. Note I am not setting the group attribute or the cluster list. Perhaps this is the issue?
Many thanks in advance!
OracleResultContainer results = service.doOracleOrganizedSearch
(this.m_query, // query
this.m_docsRequested, // topN
this.m_startIndex, // startIndex
new Integer(10), // docsRequested
this.m_dupRemoved, // dupRemoved
this.m_dupMarked, // dupMarked
this.m_searchDataGroup, // groups
this.m_queryLang, // queryLang
this.m_docLang, // docLang
this.m_returnCount, // returnCount
this.m_filterConnector, // filterConnector
filters, // filters
this.m_fetchAttributeNames, // fetchAttributeNames
null, // searchControls
null, // groupAttr
this.m_sortAttributes, // sortAttrList
null); // clusterListHi Nikola,
in 9.0.1 even if you rewrite the web interface you can't sort files by custom attributes setting a SortSpecification to a Folder. You can only sort by base attributes with getItems(). To get item sorted on custom attributes you must perform a search (a lot more codelines).
Regards, Alessandro -
Help needed in Inbox search for Custom attribute
Hi,
We have a requirement where in we are having a custom attribute on Service request to store the ECC Order number.
We have enhanced the Inbox search to retreive all the service requests havig the ECC order number.
Here we are encountering a problem. i just created a new crm service request and entered order number 1234. and now when i search for the same in Inbox search giving the criteria order number as 1234. I get no results found. But when i extend the max list to 2000, then i see the service request appearing in the result list. not sure about the algorithm that is designed for inbox search.
Any pointers on how to resolve this issue would be of great help.
Thanks,
UdayaHi,
I do not have the time to research this completely, but I had a short look into the class you posted.
In the GET_DYNAMIC_QUERY_RESULT there is a call to CL_CRM_QCOD_HELPER->PREPROCESS( )
A little bit lower there are blocks marked by comments for the single searches that are handled by this class. I had a look into the campaign_serach() method. There if you scroll a little bit down (around line 123) they set all search parameters to SIGN = 'I' OPTION = 'EQ'. This is done several times below as well.
Set a breakpoint in the proprocess() method and check which of the blocks is called and how they handle your search criteria.
Hope it helps.
cheers Carsten -
Execute UCM Service in custom component
Hi ,
I was looking for information how to execute the UCM service in custom component and found a couple of blogs regarding the same :
http://jonathanhult.com/blog/2012/06/execute-a-service-from-a-java-filter/
http://jonathanhult.com/blog/2012/10/who-created-that-site-studio-section/
http://www.redstonecontentsolutions.com/5/post/2012/05/executing-a-service-from-aservicehandler.html#sthash.X31M6ZCS.tvlE83Km.dpbs
I am new to webcenter content and couldn't understand above blog stuff properly. Queries :
1. We may need to call the UCM service in filter, Service or ServiceHandler. Is there any difference in code required to execute a service ?
2. What is the correct code to execute the UCM service ?Ad 1) the reason why the same service might be executed slightly differently from e.g. a filter or another service/service handler is that classes Service, ServiceHandler, and the interface FilterImplementor provide slightly different attributes. Note that you may also execute a service from iDocScript (via the executeService command - see http://docs.oracle.com/cd/E23943_01/doc.1111/e10726/c08_config_ref.htm#i1078100)
Ad 2) There is no 'correct' or 'incorrect' way/ Simply, from a filter you will do it this way, and from a service that way. I think you should ask, what is the correct way to implement my custom service - should it be a filter? Or rather a service handler? Will I need Java, or is iDocScript enough? Unfortunately, you have not shared anything about what your component should do. -
Scheduled Task as Service Account - Failed to Start 2147943785
I am attempting to run some powershell scripts that update membership of groups based on role attribute on users, then also grabs members of some groups and updates other groups with these members.
I've delegated access through "security" to give this service account write:member and write:memberof for the Groups OU and write:memberof for the OUs containing the user accounts.
I've updated my Default Domain Policy to give this service account Log On As Batch Job permissions.
The scheduled task is running from a Domain Controller.
When I attempt to run the task as the service account I receive the following:
Task Scheduler failed to start "\SITE Role Membership" task for user "DOMAIN\GroupScripts$". Additional Data: Error Value: 2147943785.
What am I missing here?Hi Allister,
Please follow these steps t troubleshoot:
Type "gpedit.msc", try to configure the following policy:
[Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment]
1. Log on as a batch job.
2. Allow log on locally.
Add the service sccount domain\username to these two policies.
Refer to:
Task Scheduler failed to start - Additional
Data: Error Value: 2147943785
If there is anything else regarding this issue, please feel free to post back.
Best Regards,
Anna Wang -
I am trying to write a script to enable a mailuser (I do know the difference between mailuser and mailbox) and set a custom attribute for that mailuser. Every time I run the script I get "WARNING: The command completed successfully but no settings
of <User DN> have been modified." Both commands being invoked work when typed manually into the exchange management shell on the exchange server itself. I am using the same administrator account in the script, and when I login to the
exchange server to manually run the commands, so it shouldn't be a permission issue. Here is my script so far. If anyone can shed some light on what I'm doing wrong, I'd appreciate it.
$excel = new-object -com excel.application
$wb = $excel.workbooks.open("c:\temp\testmail8.xlsx")
$ws = $wb.Worksheets.Item(1)
$row = 1
$s = New-PSSession -ConfigurationName microsoft.exchange -ConnectionUri http://<Exchange Server Name>/powershell -Credential [email protected]
Do {
$Email = $ws.Cells.Item($row, 1).Value()
$Cat = $ws.Cells.Item($row, 2).Value()
invoke-command -Session $s -ScriptBlock {Enable-MailUser -ExternalEmailAddress $($args[0][0] + "@domain.com") -Identity $($args[0][0])} -ArgumentList (,$Email, $Cat)
invoke-command -Session $s -ScriptBlock {Set-MailUser -Identity $($args[0][0]) -CustomAttribute1 $($args[0][1])} -ArgumentList (,$Email, $Cat)
$row++
} While ($ws.Cells.Item($row,1).Value() -ne $null)
$excel.quit
Exit-PSSessionHi,
I'm not sure where is wrong in your script. If you want to get more help about the script troubleshooting, I recommand you to ask a question in Script Center forum for more professional answers:
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?forum=ITCG
As a workaround, please directly create a mail user in EAC and set related custom attribute to have a try.
Thanks,
Winnie Liang
TechNet Community Support -
Service account not inheriting AD group membership permissions on SQL Server
I am adding Active Directory groups as logins and database users to our SQL Servers. A service account added to an AD group did not inherit the group permissions that the user accounts did. Can there be different attributes of service accounts that would
prevent service accounts from inheriting the permissions of AD groups?
Example: An AD Group AD_group contains a service account user, svc_account and a user account, user_account. AD_group is added to a SQL Server as a login. User_account can log in to SQL Server but svc_account cannot.SQL Server will use the information within the token used for authentication, so it may be possible that the service has a stale token (i.e. the token has not been refreshed or the service has not restarted) since you made the changes to the AD group.
I would recommend using a tool such as ProcessExplorer (https://technet.microsoft.com/en-us/sysinternals/bb896653) to make sure the token for the process is showing the latest group
memberships properly.
I hope this helps,
-Raul Garcia
SQL Server Security
This posting is provided "AS IS" with no warranties, and confers no rights. -
Process in C# with Windows Service Account
Hi,
I would like to launch SQL Server Management Studio from C# Process Class thru windows service account. When I start the process, I got the in Win32Exception ( “Logon failure: unknown user name or bad password”). I verified the User credentials
as well. Please let me if you have any idea on this issue.
Code:
private
void cmdSqlServer2012_Click(object sender,
EventArgs e)
Process objProcess =
null;
ProcessStartInfo objProcessStart =
null;
string strSqlServer =
@"C:\Program Files (x86)\Microsoft SQL Server\110\Tools\Binn\ManagementStudio\Ssms.exe";
//string strSqlServer = "ssms.exe";
string strUserID = ConfigurationManager.AppSettings["UserID"];
string strUserPwd = ConfigurationManager.AppSettings["Password"];
try
objProcess =
new Process();
objProcess.StartInfo.LoadUserProfile =
false;
objProcess.StartInfo.FileName = strSqlServer;
objProcess.StartInfo.UseShellExecute =
false;
objProcess.StartInfo.UserName =
"Senthil.Krishnamoort";
objProcess.StartInfo.Domain =
"Services";
objProcess.StartInfo.Password = ConvertToSecureString(strUserPwd);
objProcess.Start();
catch (Win32Exception w32E)
// The process didn't start.
MessageBox.Show(w32E.Message);
catch (Exception ex)
MessageBox.Show(ex.Message);
finally
objProcess.Dispose();
objProcess =
null;
public static
SecureString ConvertToSecureString(string password)
if (password == null)
throw new
ArgumentNullException("password");
SecureString secureString =
new SecureString();
foreach (char ch
in password)
secureString.AppendChar(ch);
secureString.MakeReadOnly();
return secureString;Hi
Krish0609,
Firstly please try do the following steps
Service____rightclik___Propertise___Logon___allow service to interact with desktop.
Secondly, from your code, I would suggest you used
ProcessStartInfo.Arguments
Property
to sets the set of command-line arguments to use when starting the application.
objProcess.StartInfo.Password = ConvertToSecureString(strUserPwd);
I doubt this issue maybe you have converted to secure string.
By the way, here is how to use SSMS command line.
Usage:
sqlwb.exe [-S server_name[\instance_name]] [-d database] [-U user] [-P password] [-E] [file_name[, file_name]] [/?]
[-S The name of the SQL Server instance to which to connect]
[-d The name of the SQL Server database to which to connect]
[-E] Use Windows Authentication to login to SQL Server
[-U The name of the SQL Server login with which to connect]
[-P The password associated with the login]
[file_name[, file_name]] names of files to load
[-nosplash] Supress splash screen
[/?] Displays this usage information
Please also refer to Bruce Prang's Blog
to learn more.
Best regards,
kristin
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Records Management - Custom Attributes
Hi all,
I've created a Document Service provider in SRMREGEDIT in my RMS_ID. I archive the created documents with ORGANIZER in Documentum Archive Server.
I have added a custom attribute to my Document type:
1.- I want this custom attribute appears in ORGANIZER in the search window, so I can search the documents thru my custom attribute. How I can do this?
2.- I also want to save my custom attribute in Documentum as attribute. How can I save SAP attributes in Documentum?
Thanks in advance,
Regards.
Urtzi.Hi Urtzi,
for custom attributs you need to create a Content Model (Customizing IMG). The Content Model description needs to be in the connection parameter values of your element typ Document. Then you have to customize your attributes in the dmwb (document modelling workbench), you should find your content model under the entity SRM, there you need to look for your content model id in documents, take the virtual class marked with "V" in the PHIO and LOIO classes, in the instance attribs you can finally customize your attributes by clicking the button "more". You have to hide all attributes you don´t need except SRM_DOCUMENT_ID. If you want to add own attributes you need to add them under IO-attributes first. When you restart your electronic desk now you should see the attributes you customized in the document and you are also able to search for these attributes now.
You save these attributes for your documents by writing the Content Model ID into the connection parameter values (Document_Class) of your element typ Document. If you have different Documents that need different attributes you need to create a new Content Model.
Hope that helps!
Regards, Cornelia -
How to add custom attributes to UME
hi gurus,
I have developped an appliation in that I want add custom attributes to UME for the sake of retriving the BrandType.
Please give me suggestion how to do this.
Thanks in adance.
LohiHi Lohi,
UME setup
1) go to Configuration tool (C:\usr\sap\J2E\JC02\j2ee\configtool\consoleconfig.bat)
2) For Global server configuration->services->com.sap.security.core.ume.service define property ume.admin.addattrs as BU_PARTNER and for ume.admin.self.addattrs as <empty>. (to set value select entry, input value in Value field and click Set)
3) Click Apply changes button on the toolbar.
4) Restart server.
5) Login to http://<server_name>:<server_port>/useradmin/index.jsp and define BU_PARTNER property.
Code:
try {
final IWDClientUser wdUser = WDClientUser.getCurrentUser();
final IUser user = wdUser.getSAPUser();
final String[] attribute = user.getAttribute(
"com.sap.security.core.usermanagement",
"BU_PARTNER");
if( attribute==null || attribute.length == 0 || !Utils.isNotEmpty(attribute[0]) ) {
wdComponentAPI.getMessageManager().reportMessage(...);
return;
} else {
buPartner = attribute[0];
} catch (final WDUMException e) {
wdComponentAPI.getMessageManager().reportMessage(...);
Best regards, Maksim Rashchynski.
Maybe you are looking for
-
i am using 9ids i use web.show_document() to run report. now report gets generated into cache and then it is viewed. now i want two things. 1) i want to get the genrated report file name. 2) copy that file to user-end. through webutil. pls help me ho
-
Fail to logon with SYS user: ORA-01031: insufficient privileges
Hello, Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production PL/SQL Release 11.2.0.1.0 - Production CORE 11.2.0.1.0 Production TNS for Linux: Version 11.2.0.1.0 - Production NLSRTL Version 11.2.0.1.0 - Production OS: CentOS 5.5 I fai
-
Widget ore locali non funziona il centro delle lancette e' alle ore 10 e non in centro all'orologio
il widget "ore locali" presente nel dashboard del mio macbookpro aggiornato a mavericks non funziona il centro delle lancette e' sopra le ore 10 e non in centro all'orologio come in tutti gli orologi perche'?
-
These forums are painfully slow
This forum has got so slow it's on the verge of becoming useless and is totally frustrating. It's slow to present the contents of a thread 10-15 seconds, but far, far worse to return from that thread to the thread list 30-45 seconds - presumably rebu
-
IPad suddenly went dark...
I was using my iPad and turned it off and put it in the case. A moment later, I retrieved iPad from its case and it is not responding. I have tried a hard reset, pressing the home key, attempted to sync it to my computer. it is not responding at all,