Unable to automatically provision users in AD via Access Policy

Hello,
I can connect to AD and provision a user manually to AD via OIM. Goes through just fine. However, if I use an Access Policy to do the same thing, it's stuck in the 'Provisioning' stage. All values are the same in the form.
Any suggestions on why it works manually but not automatically? I have all values including AD server filled in my form. Is there additional configuration in the Access Policy that I'm missing?

All fields are prepopulated.
How do I enable autosave? It's doing the same thing with eDirectory too.
If I go 'Edit' the task I see all values prepopulated. But they're not getting pushed out to the resource. So if I click 'View' all fields are blank.

Similar Messages

Provision to target system via access policy

I am attempting to provision to Active Directory via an access policy and membership rule in OIM11gR2. I have a couple different issues associated with this process.
First, I have a membership rule that works fine. All members of a certain organization are automatically assigned a certain role. My access policy is set to provision an AD account to any member that is assigned the same role from the membership rule. This access policy does not seem to get triggered. The access policy is set to run with no approval, retrofit access policy is enabled, and it is set as priority 1 with "revoke if no longer applies" checked. It is also assigned the Active Directory Users process form. I cannot determine why this access policy is not being triggered to provision the role members to AD. I have manually run the Evaluate Users Policies several times with no affect.
I believe this may be happening because the default prepopulate adapters are not working or are not configured correctly. The 5 mandatory fields each have a prepopulate adapter assigned to them with the Default rule. Correct me if I am wrong, but I believe the mandatory fields user id, first name, last name, common name, and user principal name? The Org name and IT Resource are set as static values within the access policy. Can anyone assist me in determining (1) why the access policy is not working and (2) why the prepopulate adapters such as ADIDC Populate Form Field for User ID and ADIDC Prepopulate UserPrincipalName for User Principal Name are not working? Is there additional configuration that must take place with these out-of-the box adapters so they know which values to populate?

Just verify whether following are check in AD prcess Defn:
Auto Save Form
This check box is used to designate whether Oracle Identity Manager should suppress display of the custom form associated with this provisioning process or display it and allow a user to supply it with data each time the process is instantiated.If you select this check box, it designates that Oracle Identity Manager should automatically save the data in the custom process form without first displaying the form. If you select this checkbox, you must supply either system-defined data or ensure that an adapter is configured to populate the form with the required data (since the user will not be able to access the form).If you clear this check box, it designates that Oracle Identity Manager should display the custom process form and allow users to enter data into its fields.
Auto Pre-Populate
This check box designates whether the fields of a custom form that:
Are associated with the process
Contain fields that have pre-populated adapters attached to them
Also, while running "Evaluate User Policy" , clear the old time stamp and populate it with current time. Sometime I have seen people are doing mistake.
~J

How to deploy a file on all users C drive via group policy

I'm trying to deploy a file on all users C drive via group policy but its not working. logon script is already kept in place but nothing is happening. If I run the same command from my pc it's working fine. Does any one have good script to copy & deploy
the file. Pls help

Hi,
You can use Group Policy Preferences to deploy this and Item-level-Targetting to filter by OUs/groups, wmi filters ,etc.
Computer Configuration / User Configuration - Preferences - Windows Settings - Files
More on this here.
http://technet.microsoft.com/en-us/library/cc772536.aspx
Hope this helps.
Regards,
Calin

Automatically provision users in OCS 10g - where are the -p switches?

Hi,
in the past we used a bunch of scripts to automatically provision services to our nes OCS users. In OCS 9.0.4 (R2) we used the uniuser and unidsdiff commands for this.
As it seems that Oracle has left these switches behind in the new binaries in the OCS 10g, I wonder if anybody has found a possibility to provision OCS services to users without using either the provisioning console or having to enter a admin pw in the terminal?
This is more than bad, since I think that many customers of either the OCS 9.0.4.2 and stand alone calendars have been using this method for auto-provisioning and now Oracle has cut off this connectivity.
In case anybody knows a other way around I would be very interested it that.
Regards,
Stephan

Thanks Martin for replying.
What I understood is Attach a task which will check if resource X is provisioned or not, if not provisioned then initiate provisioning of ResX.
I think even in this case also , if we are trying to provision userA simultaneously Res1 & Res2 , after successful provisioning both resources, will trigger the task to check if ResX is provisioned or not , it will return false and both resource will trigger auto provisioning of ResX. Anyway I will try this option and update.
How can I use database lock to avoid race condition in OIM?Database it self will not allow creation of same user twice(violate unique constraint).

OIM 11g R2 - AD provisioning based on Role and Access Policy

Hi, for Active Direcotry integration i used some prepopulation plugin for populationg resource form (based on http://fusionsecurity.blogspot.sk/2013/01/populating-request-attributes-in-oim.html).
It's work fine - requested account was fully provisioned.
Can i use this plugins for Role based provisioning?
I try to create access policy and associated role but when attached the role to the user and run Evaluate User Policies Job, account can't be provisioned.
In diagnostic.log i found.....
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Immediate consequences are returned with event - InitiatePolicyEvaluationAndProvisioning
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Next Waiting child process is ..........6380 sync = false
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] First Waiting child process is ..........6380
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel executing default validation with process id, event id, entity and operation 6,380.0.Resource.ACCESS_POLICY_BASED_PROVISION
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel completed the child orchestration - 6380.6379
[oracle.iam.platform.kernel.dao] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Inserting records for orchestration cleanup
[oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Completed orchestration with action result - 113

Hi, all
I try to fill Access policy Process Form. Account request was created and provisioned when field AD Server and Organization Name was filled in, but pre-population plugin doesn't fired
The question is.... How can i use pre-population plugin for populating request dataset used with request generated by access policy....
Is it possible to use plugins for requests generated based on access policy?
a.

Deploying Printers with User Specific Settings via Group Policy

Good Morning All,
We are getting ready to switch our print server over and would like to find an easier way to update everyone's printer list. The issue we are running into is that we have a few large copiers that use a user id number to validate any print jobs. Is
there a way to set that up in GPO so that it will give the correct code directly? I cannot find anywhere that I can adjust the printer preferences.
Thanks,
Brent

Hi
So you just want to update the TCP port with the new IP instead of deploying new drivers from the server?
Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Seggregate Automated User provisioning using Access Policy-Diff Groups/Org

Hello there,
By default, the users that are created in OIM - via GTC/via self registration/via Administrator - they all get assigned to "All Users" group. Can we assign these users to a different User Defined group for e.g. "trialgroup", by default and Unassign the "All Users" group. If yes, how can we do that?
This question is related to another question of mine:
I want to avoid all the users that are being created in OIM system - to be all together provisioned to a single IT Resource in my case OID directly via Access policy which can be applied on individual group. I want to keep the system extensible for future purposes. And the only way to seggregate direct resource provisioning via access policy is by means of different "groups". So the solution that I could think of was to assign all the users that are being created currently (via GTC and via Bulk Load into OIM) to a separate group and assign an access policy to the group so that in future if any other resource comes into picture then the system can be extended by creating more groups and designing individual separate access policies for the same.
Does this makes sense?
Please provide your inputs! Any hints/suggestions/ideas are welcomed.
TIA,
- oidm.

I am actually not very sure, what you want to achieve form the content of that post. If you mean that you would not want every user in OIM to be provisioned to OID automatically through access policy, then I am assuming that in that case you will aplly the access policy to the ALL_USERS group.
Well I may be missing the flow of your question, but here is what you can do based on my understanding:
1) Just forget ALL_USERS group. We can no nothing about it. Any User created will be a part of this group and you cannot remove a user from this group.
2) In place of this what you can do is create another group, for instance trialgroup and make all users a member of this group as well. This would be simple to do. See next step. Use addMemberUser() API of addMemberUser interface.
3) Create an Entity adapter with a javatask added, which takes an input of UserID, and assigns that user to this group (trialgroup) in OIM using above API. Attach this adapter to the post-insert trigger of the "Users" data object manager. (It also have another ootb Entity adapter which adds all the users to ALL_USERS group).
4) Attach your access policy to this group.
5) Now also you are free to extend your system by creating more groups and access policies. It shouldn't be a problem.
Thanks
Sunny

SolMan 4.0: Support Team determination via Access Sequence not working

Hi,
from all the documentation I've read I got the following understanding for automatically determination of Support Team via Access Sequence (well, for one possibillity at least):
- Maintain Sold-to-Party in IBase IB52, especially country attribute. DONE
- Maintain Organizational Structure in PPOMA_CRM and create Org. Units, Business Partner No. get assigned automatically. DONE
- The Organizational Unit "Support Team" has the same country attribute as the Sold-to-Party and was marked "Obj. Permitted in Determination". DONE
- In IMG under SolMan -> Sc.-Specific Settings -> Partner Det. Proc. -> Def. Partner Det. Procedure select Procedure "SLFN0001" -> Partner Functions in Procedure -> Select "Support Team" -> Details, in block "Partner Determination" under "Access Sequence" select "Organizational data: Support Team by org. model". DONE
If I now create a support message in a satellite system the Support-Team will NOT be assigned. Instead if I have a look into transaction data of the message under tab "Actions" there is an entry "When message is created, find support team responsible" with processing parameters RULE AC13200137, PARTNER_FCT SLFN0003.
This makes absolutely no sense to me, why is the determination rule 13200137 used (which contains no entries at the moment) instead of the assigned Access Sequence?
Am I missing something?
Regards,
Marco Kipka

Hi,
no hint for solving the problem?
This is getting quite urgent, since I'm working at a customers site and try to implement the describted scenario.
Regards,
Marco

Access Policy Vs Self Service triggered provisioning

Hello Everyone,
I wanted to know if there is any way to differentiate at the process definition level whether the provisioning process is triggered by Access Policy/direct OIM user create or a Self Service Request??
Thanks
N

There is a column in the table for the object instance database object that contains a link to the access policy object. You can break or create this link if you want or don't want resource to be revoked on "policy no longer applies".
I don't remeber exactly what the tables are called (OIU?). Perhaps someone else has this info easily available.
Best regards
/Martin

Enabling users and automatic provisioning

Hello,
I have a problem with automatic provisioning.
In our context, here is what we want to do :
- A user has a Start Date
- Once this user has reached this date, the scheduled task "Enable User After Start Date" enables him in OIM
- This activation gives a role to him
- Having this role starts the provisioning of AD and Exchange resources
And here is the problem we have :
- The user was supposed to start today
- The scheduled task ran at 2 AM and enabled him successfully
- He had the role
- But no resource provisioning started
Do you have any clue on why it happened and how to solve it ?
Thank you for your help !

Hi,
If the user having the role assigned.
Check currosponding rule is active or not. It should active
If it is active than,
Check are you able to do access policy based provisioning via UI or not?
Thanks,
Kuldeep

Provisioning users automatically

We got CS running but I found out to provision an user I have to:
- Create user in OID
- Go to UM admin and create an email account for that user
- Go to Calender admin and provision calendar for user
- Go to portal and assign default group to OCS_PORTAL_USERS (otherwise they will not get the calendar, mail and files portlets)
Is there a way to automate this process the same way the files account is automatically provisioned every 15 minutes?

did you see the metalink note 186981.1 Oracle Application Server with Oracle E-Business Suite Release 11i FAQ?
How can Microsoft Active Directory and Windows Native Authentication be used with Oracle Internet Directory and Oracle E-Business Suite Release 11i?
regards,
--Olaf

Unable to provision users in OIM 11.1.1.3 using DBUM connector 9.1.0.4.

Hi,
I installed OIM 11.1.1.3 and i am able to access it.
Now i am trying to provision an user to a database table using "User Database Management connector". I worked on it by using version 9.1.0.4, but i failed to provision the users.
I am getting an error message that "Error occurs while initializing parameters in initutil".
Can anybody please help me how to solve this issue.
Thanks,
SRI.

Thank you for your reply.
I am trying to test for provisioning users, could you please suggest me the version for the AD or any other connector that is used to deploy with the OIM 11.1.1.3.
Thanks,
SRI.
Edited by: Sri Kishore on Aug 25, 2010 11:29 PM

Grace Period Expired Unable to Provision Users

Hi guys,
Through the jigs and the reels I have a bit of an issue. Recently I was back and forth with TAC trying to get a telepresence license sorted out. We purchased an SX20 and it was registered to call manager on our BE6k. The 60 Day trial ran out and now I cant remove the Device or the Insufficent license from ELM. Does any one have any idea how to remove the instance from ELM until Cisco gets our License sorted out. We have a User starting Monday and need to configure a phone for him.
Thanks!

Thank you for your reply.
I am trying to test for provisioning users, could you please suggest me the version for the AD or any other connector that is used to deploy with the OIM 11.1.1.3.
Thanks,
SRI.
Edited by: Sri Kishore on Aug 25, 2010 11:29 PM

OIM 11g - automatically provision a user with AD

Hi everyone,
I'm a newbie with OIM and to begin, I would like to provision a user with my AD directly after we create him on OIM. So I created an Access Policy for the resource AD User with the correct Ad Server and the correct Organization and I affect it for All Users. When I create a new user and I give some additional informations like the address, phone number, email for example, this user is well provisioned on my AD but the only informations which are provisioned are his login, his first name, his last name and none of the others.
I don't understand why. Do I have to set up an adaptater for this ? I've also checked Auto Save and Auto Pre-populate in the Process Definition but I don't know if it's the right thing to do.
If you can help me with this. (I know this is a really "newbie" question but it'll help me a lot to understand OIM basics functionalities)
Thanks a lot !
Thibault

I don't think that Oracle has used any kind of Java Code for this. You can simply create Logical task to achieve the same.
Anyways AD Connector comes with two jar files and you can get thsoe JARs from Connector Pack itself or from Database.
Go through Design Console guide for details.
And also for your use case follow steps:
Go to Form Design
Search UD_ADUSER
Create New Version
Save
Go to Prepopulate Tab
Click Add
Select your attribute
Adapter as ADCS Populate First Name, Rule as Default, Order as integer value say 7
Save
Do mapping of variable with User Definition > Field Name

How to create user credit control via customization

Hi !
I have to create user credit control via Transaction :
SPRO.
path:
Sales and Distribution->Basic Functions->Credit Management/Risk Management->Credit Management->Define Automatic Credit Control.
I want to check the user checkbox, and create my logic
of credit control.
In the help of credit control screen, it says that i have
to use user exits LVKMPTZZ and LVKMPFZ1.
However when i looked for that user exits at SMOD
that user exit don't exist !!!
How do i use those user exits ? Why can't i find those user exit ?
Can you give me please a code example of how to use
the user checkbox to change the logic of credit control ? or any material about the issue.
thanks
moshe

Hi,
You dont find the programs LVKMPTZZ and LVKMPFZ1 in SMOD transaction, check in SE38 by typing the program names, there you have the provision to write your custom code,
As user exits are specific to the business, it would be difficult to send the sample code to cater the functionality expected by your business,
Hope this helps,
Rgds,

Unable to automatically provision users in AD via Access Policy

Similar Messages

Maybe you are looking for