System Administrator role OIM 11gR2

Similar Messages

• Assigning System Administrator role to a new user in OIM 11gR2

  I am trying to assign full access as xelsysadm to a newly created user but not able to. Unable to identify option to add System Administrator role. System Administrator admin role is available to TOP organization and we can not create a new user in TOP. any suggestion will be helpful.

  goto-> organization-> search and select Top organization-> open detail page-> click on Admin Role-> select Adminrole(System Administrator) -> click on Assign button-> select user and add it-> finally click on okay.

• Revoking permissions for Few of the worksets in System Administration role.

  Hi Experts,
  I would like to revoke the permissions for some of the worksets in the role of System Administration. How can i remove the permissions like that ? Is it posible like that ?
  Thanks
  Suresh.

  Hi Priyanshu,
  "Object manager is not activated" simply means, that the SLD server is not started. So, please, first of all navigate to the SLD URL http://<host>:<httpport>/sld, login with an administrative SLD user -> Admininstration and push the star button.
  Regards,
  Blanca

• System Administrator Roles

  We are running Unity Connection 7.1.5.  Pub and Sub.  On the Subscriber I go to Roles > System Administrator and I see myself in the list as well as all my co workers. 
  But when i go to the Pub, i don't see anyone in the list.  It's as if the System Administrators are not sync'd to the Pub.  But show up in the Sub. 
  I need to know why this is happening.  And More Importantly how to fix this??
  thanks in advanced.
  Shir

  hi Shir,
  What's the status of DB replication between the Unity Connection pub and sub?
  From CLI of the pub: "utils dbreplication runtimestate"
  Ryan

• How to raise create role request in OIM 11gR2?

  How can I let a user to raise a create role request in OIM 11gR2?
  If I assigned the Role Viewer or Role Authorizer admin role to the user, the create button for role is disabled.
  If I assign the user as Role Administrator, the role will be directly created without raising any request.
  If I assign the user as SPML Admin, the create button is enabled, but after filling the form and clicking the "save" button, an exception will be thrown saying "IAM-3054100 : The logged-in user AA10127 does not have createRole permission on Role entity."

  Hi,
  i have changed identity page logo by using customize option, But in sysadmin page there no such option, is it possible to change image same as identity console.

• Who can delete user in OIM apart from System Administrator.

  Hi All,
  In OIM 9.1.x apart from System Administrator who else can delete user? Can we configure something so that only particular User/Group can delete user?
  Thanks.

  Hi AGIAM,
  Sorry I can't recall the exact way to configure it (dont have a 9.1 instance running), but you can try adding the user to the OIM Groups with privileges to manage/delete the users.
  "An OIM Account can be granted additional permissions including delegated administration of various entities, such as users, organizations, and roles, and the ability to define workflows"
  Creating and Managing Users
  Hope it helps.
  Thanks.

• Nesting of Rules for Auto Group (Role) Membership Rules in OIM 11gR2

  Does anyone know how to nest rules for auto group (role) membership in OIM 11gR2. The General rules in Design Console are no longer used for auto group membership and the rules that can be configured in the Role properties cannot be nested as far as I can see.
  Any info is appreciated.
  Thanks!

  My mistake... this is possible in the web ui.

• Logon is not possible because you have not been assigned to a business role; please contact your system administrator

  Hi experts,
  I'm having a problem when our project approaching the end.
  If I assigned the business role in parameter CRM_UI_PROFILE and PFCG role in SU01.
  It works fine,and the user can logon the web ui.
  Now I created a new organization model and position,assigned the business role and user to the position.
     A PFCG role was also assigned to the business role:
  Then I removed all the roles and profiles in user master in SU01.
  The user can not login CRM WEB UI and the system raised "Logon is not possible because you have not been assigned to a business role; please contact your system administrator".
  Can anybody suggest what the problem is? Is there any other settings I should make?
  I suppose that,since the user was assigned to the position the organizational model, the system can determine the user's business role, and through the business role, the corresponding PFCG role can also be determined.
  Am I correct?
  Thanks.
  Jerry

  Jerry, yes, you're right.
  Let me point you to pretty good explanation right here: Logon is not possible because you have not been assigned to a business role; please contact your system administrator
  So business role determination is taken in three steps (you can observe them in class CL_CRM_UI_PROFILE_DETERM method LOAD_PROFILES):
  1. From user's parameter  CRM_UI_PROFILE (method LOAD_FROM_USER_PARAMETER);
       If  CRM_UI_PROFILE = * then the user needs to have S_DEVELOP authorization object with OBJTYPE = 'DEBUG' (debug authorization).
  2. If not found on previous step: From organizational management (method LOAD_FROM_ORG_MANAGEMENT)
  3. If not found on previous steps: Based on PFCG roles (method LOAD_FROM_PFCG_ROLE);

• OIM Process Form System Administrator Permissions Disappeared

  Hi,
  We have OIM 9.1.0.2 in our environment. Since past few days we are noticing that 'System Administrator' permission from process form gets removed completely. We cant even add the permission for System Admin as it gives as error that 'You do not have permission'.
  Finally we have to import our back up xml (thank God that we took backup) to import the permission back.
  Anybody has seen this issue before. Please help as this is becoming a major problem for us.
  Regards
  Rahul

  Hi,
  We have OIM 9.1.0.2 in our environment. Since past few days we are noticing that 'System Administrator' permission from process form gets removed completely. We cant even add the permission for System Admin as it gives as error that 'You do not have permission'.
  Finally we have to import our back up xml (thank God that we took backup) to import the permission back.
  Anybody has seen this issue before. Please help as this is becoming a major problem for us.
  Regards
  Rahul

• Organization Admin control in OIM 11gR2

  Hi,
  I was trying to configure Organization Admin control in OIM 11gR2. Our requirement is to configure roles having read access of organization (members of this role can only see the members of the organization but cannot update it), roles having admin control on organization (where members of this roles can read/write/execute member access). There should be different set of roles having access on different organization where members from one role cannot access the members of the other organization. I tried to configure these security models but the only thing i could find in organization is Admin Roles which also i couldn't able to configure very well :(. Can someone point me to the correct documentation or procedure/tool which we should use to achieve such functionality (These functionalities are very easily available in OIM 10g but couldn't find in 11gR2 :( )

  If you add the members of a role to the Admin Roles of a given Organization (Specifically OrclOIMOrgViewer Admin Role). The users will be able to see the users in that organization.
  A few things to consider:
  Only xelsysadm or a users in the System Administrator Admin Role can assign users to Admin Roles within the scope of an Organization.
  Here is a piece of code that you can use to programmatically add users to the Admin Role OrclOIMOrgViewer:
  public List getScopedAdminRoleMemberships() {   // This one gets the list of all admin roles scoped by Organization
  Hashtable env = new Hashtable();
  env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,"weblogic.jndi.WLInitialContextFactory");
  env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://<oim server host>:<oim port>");
  OIMClient oimClient = new OIMClient(env);
  try {
  oimClient.login("xelsysadm", "<XELSYSADM Password>".toCharArray());
  } catch (LoginException e) {
  throw new RuntimeException(e.getMessage(), e);
  AdminRoleService adminRoleSvc = oimClient.getService(AdminRoleService.class);
  return adminRoleSvc.getScopedAdminRoles();
  public AdminRoleMembership addAdminRoleMembershipFor(String userId, AdminRole role, String scopeId) {  // This method adds the user identified by userId (pass usr_key not usr_login) to the Admin Role in Org whose key (act_key) is
  // passed as a parameter in the scopeId.
  AdminRoleMembership membership = new AdminRoleMembership();
  membership.setAdminRole(role);
  membership.setUserId(userId);
  membership.setScopeId(scopeId);
  Hashtable env = new Hashtable();
  env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,"weblogic.jndi.WLInitialContextFactory");
  env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://<oim server host>:<oim port>");
  OIMClient oimClient = new OIMClient(env);
  try {
  oimClient.login("xelsysadm", "<XELSYSADM Password>".toCharArray());
  } catch (LoginException e) {
  throw new RuntimeException(e.getMessage(), e);
  AdminRoleService adminRoleSvc = oimClient.getService(AdminRoleService.class);
  return adminRoleSvc.addAdminRoleMembership(membership);
  This should give you what you need. Remember, the API's work with act_key and usr_key values don't use Org Names or User Logins.
  Hope this helps.
  Regards
  Alex Lopez

• Replicating the app functionality from OIM 10g to OIM 11gR2

  Hi,
  I have a resource object with an object form and a process form and approval, provisioning configured in OIM 10g design console. Provisioning is manual provisioning assigned to a particular group based on a task assignment adapter. For replicating the same in OIM 11gR2 i followed the following steps.
  1. Created a Resource object in Design console.
  2. Created a dummy IT Resource ( Since while creating app instance it is having IT Resource as Mandatory field. * Is there any way to skip this as i do not have any IT resource in my original app as it is going for manual provisioning?)*
  3. Created a process form in Design Console with the same fields as present in my 10g app process form.
  4. Now i need to Create an app instance and select the created resource object and IT resoource. Also i need to create a form associated with the app instance in which i will add the fields as present in the object form in my 10g app. ( Here i am not understanding how data will flow from object form to process form since there is no data flow mapping here)
  5. Other steps like creating the SOA composite with human tasks and deploying it and after that creating approval policies is pretty much clear.
  Please clarify whether the steps are correct and also the queries which i have posted in between. Thanks in advance.
  Regards,
  Durgaprasad
  Edited by: Durgaprasad on Jan 17, 2013 3:38 AM

  Thanks Gyanprakash. Wll disconnected resource trigger our custom approval process if we select the resource name properly in scope in operational level approval policy. Have you tried a disconnected resource with your custom approval process. Because i read the following lines in admin guide
  Oracle Identity Manager supports provisioning of disconnected resources by using the SOA worklist for manual provisioning of disconnected resources. After the role-based provisioning decision or SOA request approval is complete and the corresponding application instance is determined to be a disconnected application instance, a new SOA workflow is started. This new SOA workflow is assigned to the manual provisioning administrator.
  So i thought disconnected app instance will have its own approval process configured during the creation and it will route accordingly. So just wanted to clarify how to make disconnected app instance to trigger our approval. will approval policay take care of it as i am going to select the name of the disconnected app in the scope field.

• Design console access in OIM 11gR2

  I need to create an user other than Xelsysadm to have access to design console in OIM11gR2. what are the steps in 11gR2. In R1 i used to select the Design console access checkbox while creating user manually. Is there any feature like that in 11gR2. Thanks in advance

  provide Admin Role to the user.
  goto-> organizatin-> search and select Top organization-> open detail page-> click on Admin Role-> select Adminrole(System Administrator or User Administrator etc.) -> click on Assign button-> select user and add it-> finally click on okay.
  make sure you select the 'sub-organization hirearchy'

• OIM 11gR2 - unable to suppress display of iPlanet process form

  OIM 11gR2 or 11.1.2
  SJSDS Connector 9.0.4
  I have configured the SJSDS connector, it resource, etc and am able to manually/directly provision iPlanet User to an OIM user through the identity interface.
  I have configured the process form to pre-populate all necessary fields.
  I have checked the Auto Save Form checkbox within the iPlanet User Process Definition.
  It is my expectation that when an administrator directly assigns the resource to a user they will not be presented with the process form. However, when we directly assign the resource, the process form is displayed causing the administrator to submit the form.
  I have double checked the documentation regarding Auto Save Form within the Developer's Guide for Oracle Identity Manager 11g Release 2 (11.1.2) - E27150-03 and the Oracle® Identity Manager Connector Guide for Sun Java System Directory Release 9.0.4 - E10446-12 and I believe my expectations are correct.
  1) Has anyone successfully suppressed the process form while direct or manually provisioning SJSDS through the identity interface?
  2) Could the Auto Save Form be only related to request-based provisioning?
  Thank you in advance.

  These are also good questions but I'll give details :-)
  1) Does that make the "Auto Save Form" checkbox useless? -
  NO, If you don't do this then your Provisioning will stuck into System Validation.
  2) Can you "Auto Save" the Application Instance form?
  NO, as per Oracle either hide these attributes or delete these attributes but there's no clean way to delete such things.
  Question For You:
  If you don't want to Auto Save your Application Instance Form then why did you create that.
  Workaround:
  If you don't want Application Instance then create one more Application Instance without any form

• Authorization Policy for Modify user in OIM 11gR2

  Hi Experts,
  Requirement: I want the users in particular org not to modify certain user attributes and users from other org should be allowed to modify user.
  I have created user1 whose organization is org1 and role is role1. I have also created user user2 under same org and same role. I assigned the Admin Role "User Administrator" role to user2.
  So If user2 from same org1 tries to modify certain attributes then OIM should throw error message. I have completed till this.
  But when the user from diff org say org2 with Admin Role "User Administrator" tries to modify user, OIM is not allowing to modify user which should not be the case.
  I want the Auth Policy to trigger only for Org1. I have specified the below condition for my custom policy in OES admin console but it is not triggering.
  The condition is
  IF ( OrclOIMTargetEntity = 'true' AND OrclOIMUserOrganizations = 'true' AND STRING_AT_LEAST_ONE_MEMBER_OF(OrclOIMUserOrganizations,['25','1000000']) = true )
  What am I missing?
  Any help is much appreciated.

  Hi
  Can anyone let me know the steps to restrict modify user operation for the users belonging to specific organization in OIM 11gR2. The condition which I specified under Authorization Policy in APM console is not triggering at all.
  Thanks!

• OIM 11gR2 Design Console Access

  Hello,
  Could someone please tell me the minimum admin role(s) required to grant access to the OIM design console?
  Thanks!
  Ariel

  Hi All,
  I am using OIM 11g R2. OIM is running on linux server and Design console is intalled and accessing from windows machine. Able to login the 'xelsysadm' from design Console.
  Not able to login from design console for 'oimadmin' user (user created by me).
  Executed the following steps,
  1) has given 'system Adminstrator' role from top(organization) -> Admin Role -> assigned 'System Adminstrator' Role to 'oimadmin' user.
  2) User is 'Xellerate User' organization.
  3) Changed User_Type from 'End-user' to 'End-user Administrator'
  4) Restarted OIM server.
  Still 'oimadmin' user is not able to login.
  I would sincerely appreciate, solution for this.
  Thanks in advance.