SUN idM integrate with GRC AC

Similar Messages

• Tivoli IDM Integration with GRC 10

  Hi All ,
  Can someone please help me with the information about webservices that we need to enable on GRC 10 so that it can integrate with the IDM Solution (IBM Tivoli ) . I had a look at the GRC 10 docs in market place , however couldnt find any help on this.
  Thanks for your time.
  Vikas

  Hi vikas and Frank,
  Do you have any information related on How to enable the webservices in the GRC 10 (does NWBC holds the key). if you have any information related to it  please share it with me.
  Thanks and regards,
  keerthi

• IDM connected with GRC

  Hi All,
  Would like to check a question with you. As I know SAP IDM can be connected with SAP GRC for risk analysis during user request. Does anyone know if there are any other IDM solutions (other than SAP IDM) which can be connected with SAP GRC and do risk analysis during user request?
  Thanks in advance.
  Benny Ren

  Hi Ankur,
  Thanks for your reply. As I understand the GRC adapter in ITIM works only with SAP resource (please correct me if I am wrong) and not any other ERP or non-ERP resource. Is there any way so that I can directly use webservices with ITIM without using ITIM adapter.
  Hi Frank,
  If I can integrate the webservice directly with ITIM, then what I can do is using the risk analysis find out what are the roles which violates the SoD. If web services can return that, then I can use the following steps:
  - Create a Life cycle rule to find all the violations.
  - Once violations are identified then send an approval for the violations.
  - If this are approved, then the role can remain with the person.
  - If rejected then the role will be removed through the life cycle it self.
  Please let me know if what I think can be done and is feasible.
  Thanks to all for your replies.
  Regards,
  Ashish Choudhary

• Error while Reading Idocs from ECC 6.0 to Sun IDM .

  Hi Gurus,
  We have a scenerio where we have to update the Sun IDM Server with all the changes in HR Data happening in ECC.
  For that... we have
  1. Created a Logical System for Sun IDM server, Port, RFC Connection (TCP/IP).
  2. Assigned Partner Profiles, Distribution Model etc. for msg. type HRMD_A ;
  3. We have created a Communications User used by the IDM server to connect to ECC.
  Idocs are created daily and are in status 03 - Data passed to Port OK !
  and on the In Sun Identity manager 8.0 we have created SAP resource adapter for ECC 6.0,
  after giving resource parameters our test connection is successful.
  We also changed edit synchronisation policy for the same but when we start synchronisation in IDM, it is unable to read any idocs although Idocs are generated in SAP .
  Log file gives the message as "Incoming IDoc list request containing 0 documents"
  We also have one more error ;
  some times while doing a connection test : JCO.Server could not find server function '剆䍟偉乇'
  while most of the times the connection is successful.
  Please suggest .

  Hi Gurus,
  The error got resolved .
  The changes in the settings i did :
  SAP SIDE : Made the RFC Connection Unicode.
  IDM SIDE : Checked on the "SAP Server Unicode" checkbox; while doing the HR Activ Synch Settings.
  This Resolved the error.
  regards
  Vaibhav

• Exploratory Programming of the Sun IDM API

  Exploratory Programming of the Sun IDM API using Rhino
  Sun IDM comes with a JavaScript interpreter (Rhino) that can be invoked from the command-line. This gives developers an easy way to explore the large number of classes that comprised the product.
  Let's say for example that you need the approvers of a role object in order to display them on a form. (The role view provides this information, but let's ignore this for the purpose of this example.) The role javadoc mentions two methods to get the approvers, getApproverRefs() and getApprovers(). Unfortunately they are not described clearly, and the difference between the two is not clear either.
  In order to understand what these methods do and what they return, you can use the interpreter to invoke each one directly.
  First start the interpreter with the 'lh.bat js' command:
  lh.bat jsYou will be greeted with the javascript prompt "js>"
  Then the first thing to do is to login to the application server. Copy-paste the following code into the shell interpreter.
  // Java packages are prepended with the word 'Packages'
  // and are imported using the 'importPackage' function
  importPackage(Packages.com.waveset.util);
  importPackage(Packages.com.waveset.object);
  importPackage(Packages.com.waveset.security.authn);
  importPackage(Packages.com.waveset.session);
  importPackage(Packages.com.waveset.ui);
  importPackage(Packages.java.util);
  // Use arguments[0] and arguments[1] if you want to pass credentials from the command line
  // Here we just use the built-in account "configurator"
  var epass = new EncryptedData("configurator");
  var session = SessionFactory.getSession("configurator", epass);
  print("Waveset session established");Alternatively save the above code to a text file called "idm-init.js" and load the file from the interpreter.
  js> load("idm-init.js")
  Waveset session establishedOnce a session has been established, objects can be loaded from the repository. Enter this line at the prompt to get the role object named "testrole3"
  js> var roleObject = session.getObject("Role", "testrole3");Enter the variable name at the prompt to cause the interpreter to invoke the object's 'toString' method.
  js> roleObject
  Role:testrole3Use a 'for' loop to print out all of the object's method and fields.
  js> for (i in roleObject) { print(i) }Enter a method's name to invoke it. Let's call getApproverRefs().
  js> var approvers1 = roleObject.getApproverRefs();
  js> approvers1
  [User:role1approver(id=#ID#1CC1759638D9AF96:182C132:10F3E8040B5:-7FBE), User:role2approver(id=#ID#1CC1759638D9AF96:182C132:10F3E8040B5:-7FB8)]
  js> approvers1.get(0).getClass();
  class com.waveset.object.ObjectRefNow let's check out getApprovers().
  js> var approvers2 = roleObject.getApprovers();
  js> approvers2
  [Lcom.waveset.object.WSUser;@d3c69c
  js> approvers2[0].getClass()
  class com.waveset.object.WSUserSo getApproverRefs() returns a list of ObjectRef objects, while getApprover() returns an array of WSUser objects.
  In summary the Sun IDM JavaScript interpreter can be used to explore the product's vast API. This article used the role class and its getApprovers() and getApproverRefs() methods as an example for exploratory programming. Other applications include automated testing and administrative scripts.
  [email protected]

  Yes you can customise IDM it is all available in courses and the manuals also provide some info.
  As long as you can write the code you need in java or javascript you can call it from IDM: that could be an interface to you naming app.
  Otherwise use the SPML interface if you want to use something else then the GUI. This is also described in the manuals.
  WilfredS

• SUN IDM with Windows Vista

  Hello,
  Has anybody tried installing SUN IDM with windows vista
  I tried IDM 7.1 with vista home premium and doesnt seem to work. Curious to know if any body has success with vista
  Awaiting replies
  Thanks,

  What error message are you getting?
  Have you installed Java and an apllication servers as requested?
  1) Set Up a Java Virtual Machine Software Development Kit and Java Compiler
  The application requires a Java compiler and a Java Virtual Machine (JVM) to run the Java classes that perform actions within Identity Manager. Both of these can be found in a Java SDK. Download from or http://java.sun.com/javase/downloads/index_jdk5.jsp *** You should add JAVA_HOME to your list of system environment variables and to your system path. To do this, add JAVA_HOME to your system environment and JAVA_HOME\bin to your path, making sure to list it before any other Java environment variables.
  2) Install Tomcat application server from official http://tomcat.apache.org/ to local hard drive. Configure Tomcat memory requirements and restart. Min: 256k

• Expert pls help: Sun IDM with ldap active sync

  Hi all,
  Currently i am configuring Sun IDM 6.0 SP1 to active sync with Sun directory server. I have enabled Retro Change Log but yet i cant find my changeNumber in directory server. Could anyone show me a way (search?) to get what changeNumber directory server currently running?

  Check the account used by IDM to access DS can search cn=changelog branch. If he is not Directory Manager, you probably need to set an ACI on that branch.
  HTH

• Anyone has experience with sun idm data exporter /warehouse funtionality ?

  Anyone has experience with sun idm data exporter /warehouse functionality. There is not much documentation about how to debug it. I created everything like in the document. Everything seems running fine. I get the following the server tasks->Run Tasks
  Data Warehouse Exporter      Data Warehouse Exporter      Configurator      executing
  Prior to that i created database and 50 tables as it said in the doc.
  I created accounts and modify email address. Nothing is getting to my warehouse database and i don;t know where to look for the errors. Any information is appreciated.

  Hi there,
  I have been looking at the source code and I think I have found the problem.
  IDM determines whether to update or create a resource account
  by attempting to fetch the user from the resource.
  If the user exists then update, otherwise create.
  In the code, if the user does not exist, the code throws the
  exception: EntityDoesNotExist(1301)
  The code then catches this exception
  and then returns a null back to IDM,
  indicating that the user does not exist.
  Well, that is what the code says but this does
  not match its actual behaviour....
  I then decompiled the actual class (jar) files
  and the code there does NOT catch the exception,
  so it bubbles up to IDM, which regards it as an error.
  Soo, the jar file that is on the website has a bug in it.
  The source code in SVN is correct, but it appears
  that the jar file was not rebuilt.
  I am attempting to rebuild a new version of the jar file...
  John I

• Provisioning User IDs in Remedy Help Desk with Sun IdM 7.0.

  Hi,
  Our team is in the process of defining a approach to provision user IDs in Remedy Help Desk system using Sun IdM version 7.0.
  What we wanted to know is whether it is possible to use the Remedy resource adapter bundled with Sun IdM 7.0 to provision user IDs. We think that this resource adapter is used to provision help desk tickets into the help desk system and not user IDs. Is the understanding correct?
  If user IDs cannot be provisioned using the resource adapter, we are planning the following approach to provision user IDs into Remedy:
  1. Understand the table schema of the Remedy database.
  2. Configure the Database Table resource adapter to provision into the Remedy user tables.
  We are looking for inputs from people who have come across a similar design issues with Remedy Help Desk and could validate our design approach. We will highly appreciate any inputs on this.
  Thank You.
  Regards,
  Vallabh Vengulekar.

  "We think that this resource adapter is used to provision help desk tickets into the help desk system and not user IDs"
  hi as per ur post...where did u find this information..I am looking for this information of how to manage Remedy tickets through IDM.
  If you can help me it wil be great...looking for your inputs...
  thanks in advance.

• Using Sun IDM with Firefox 3.0.3

  We just upgraded to Firefox version 3.0.3. When I try to run a report in Sun IDM, I get the following error:
  There was an error while retrieving task status.
  This connection has timed out. Please login again.
  It works properly in IE, and previous versions of Firefox.
  Does anyone know of a fix for this, and has there been any other problems with Firefox 3.0.3?
  Thanks,
  Jody

  jweisbau wrote:
  There was an error while retrieving task status.
  This connection has timed out. Please login again.That error you're seeing is from the little java applet that runs when a report is generated. It's possible a new security restriction regarding applets is active in your browser.
  You can still see the report by looking in Server Tasks -> All Tasks and viewing the result of the report task there.

• Sun Idm with LDAP failover

  Hi All,
  Not sure if anyone encountered this issue.
  I m using Sun Idm version 7.1 and sun one directory server 5.2 as corp ldap. I want to configure failover for ldap. I have setup master-master replication between ldaps. Now in idm on resource configuration page for ldap, I specified url of failover server. I brought down current ldap server and checked the connection. It shows successful because it picked failover one.
  Now, after this stage I am not able to create/modify accounts on ldap (now running on failover) and its giving me the error "javax.naming.NameNotFoundException. [LDAP error code 32- No such object]"
  Any suggestions, please provide.

  Hi
  Came across this issue myself (just now) and fixed it so thought I'd comment. I appreciate this post is quite old now but this might help anyone else who has this issue.
  We are using IDM 8.1 and have 2 DSEE 6.3 instances - one master and one replica. In the help description for Failover Server on the LDAP resource configuration page it says:
  "List all servers in the form of "ldap://ldap.example.com:389/o=LdapFailover" which follows the standard LDAP v3 URLs described in RFC 2255. Only the host, port, and dn parts of the URL are relevant in this setting."
  We originally listed our second server as above and included the "/o=LdapFailover" bit on the end and we got the same error. We removed the "/o=LdapFailover" and just left "ldap://<host>:<port>" there and it all works.
  Hope this helps someone.

• Linking a new resouce with user account in Sun IDM via activesync

  Hi,
  I am having a new resource which contains the user records. Now I want to link that resource to the existing and new users in Sun IDM.
  I do not want to update and create user in the new resource. I just need that a link is created in Sun IDM when ever activesync runs on users account.
  Please guide me how to achieve the same.
  Regards,
  Nitin

  I'm afraid I can't share the exact code but it should be straight forward through the following:
  1. define a field (call it ldapDN)
  2. create a rule to user getResourceObjects to search for the user DN and return the DN to ldapDN.
  3. when ldapDN is not null, expand waveset.resources and add your LDAP resource, like:
  <Field name='waveset.resources'>
  <Expansion>
  <append>
  <s>LDAP</s>
  4. Then set the accountId for that resource as
  <Field ........ accounts[LDAP].accountId>
  <Default><s>ldapDN</s></Default>
  and you should be set... hope it helps.

• Please help with Donwload Sun IDM 6.0 sp1

  Hi,
  I am trying to find where to download Sun IDM 6.0 SP, so far no success. All I can find is either 6.0 or 7.0. Any body have a link? any help or information is appericiated.
  Thanks in advance,
  Michael

  As of the last few months Sun requires you to have a service contract to download service packs. If you have one then you should be able to go to your Support Page and find the download for the service pack.

• Movement of accounts in AD natively; How Sun IDM identity is affected

  Dear Reader,
  We are planning to integrate Windows Active Directory with Sun IDM 6.0 SP1. Even after integrating AD with Sun IDM there will be lots of changes to the native account like especially moving the account from one OU to another etc
  Since Sun IDM identity has the distinguished name of AD account for its reference; if someone moves the AD Account natively how will that affect IDM identity.
  I heard from couple of my friends that Sun IDM uses objectGUID to refer account in AD so even if the account is moved from one OU to another there will be no issue, is that right?
  Will Sun IDM 6.0 SP1 work that way or this fix was introduced in the later release?
  Is there any other factor involved in this which will affect the way Sun IDM works when the account is moved natively?
  Any help is appreciated
  Thanks in advance

  We use IdM 7.1.1.11 and AD.
  Sun does use the GUID once it has it. And, if the dn changes and the GUID stays the same, IdM won't care. Although in examining logs I saw that Sun asks AD first based on the GUID, then if it can't find it, reverts to the dn. We manage what OU our accounts are in via IdM. So we don't allow AD admins to move accounts around. During our initial migration, we are syncing up GUIDs, and correcting any bad OU values. Don't know if that helps, but I have some experience looking at some of this and can offer my oberservations.

• Oracle IAM integration with GRC 10

  Hi All,
  Our client is using Oracle IAM for user provisioning process. Now they have SAP GRC being implemented for two of their SAP systems. Now client wants to integrate SAP GRC Access Risks analysis (ARA) for SOD analysis and User Access Management(UAM) for user provisioning modules of SAP GRC 10 with Oracle IAM.
  As far as i know, webservices needs to be activated in GRC 10 and has done that. Now i want to know how Oracle IAM communicates with GRC 10. How connectors needs to be developed, User account to be created for web service access and how the parameters are passed from oracle to grc.
  Also how many different scenarios are there in oracle IAM for this integration?
  In SAP IDM vs SAP GRC integration we have 2 scenarios.
  1. Request raised in IDM -> SOD analysis in GRC -> Provisioning in GRC -> Return success/failure status back to IDM
  2. Request raised in IDM -> SOD analysis in GRC -> Return SOD success/failure status back to IDM -> Provisioning in IDM
  So can anyone help with possible scenarios for this integration process??

  Hi vikas and Frank,
  Do you have any information related on How to enable the webservices in the GRC 10 (does NWBC holds the key). if you have any information related to it  please share it with me.
  Thanks and regards,
  keerthi