User Management with IDM

I am implementing an IDM solution from another vendor. The consultant is telling me that all user group management must now be accomplished with the IDM solution. And if group membership is changed with another method (ADUC or PowerShell), it will be overwritten
by IDM upon the next change within IDM. the app wants to lead now that it is in place.
I find real issue with this. I am loath to give up powershell and ADUC. Is this true? Do all IDM solutions require you to use them for all ongoing user management? Note: I am talking about group management mostly, not every possible aspect of user management.
Is this how FIM works?
Thanks,
Paul

The basic concept in FIM  is the same. If a group is managed by FIM it should only be managed by FIM.
But please note that this can be implemented on a per group basis. Meaning that one group can be managed by FIM and another can still be managed by other ways. It is typical that some groups are managed by HR system (organisational groups), others are managed
manually in AD and yet other groups are managed by FIM to take advantage of the dynamic groups and self-service aspects in FIM.
The problem is called precedence in FIM, for each attribute on each object there is only one "winner". If FIM has higher precedence than AD for the member attribute for a specific group then FIM will overwrite any changes made in AD on the member attribute.

Similar Messages

  • Access to user management  with j2ee_admin

    Hello, All
    I have a problem I'm trying to access  to user management ()  with  j2ee_admin user, but when I log on with this users  in the  screen don't shown anything, only the fiels of usuername and password are cleaned and I enter other password in the screen, I got this message  on the screen: User authentication failed . However I log on in the visual administrator with j2ee_admin and the same password nd the connection is succesfull.
    We have enabled the sap* user but  it did work.
    Any suggestions for this problem?
    thanks a lot
    Danny

    HI  Joao
    we found  that one certificate  there isn`t  in the backend, this  certificate was created again then  this certificate was uploaded and  the problem  was solved
    You could check the certificates in your backend system.
    I hope this information helps you
    Danny

  • User management with vbs

    Hi all!
    In powershell is not so hard, but, to our company standards I need write this solution in vb script and i didnt found any usefull snipett to begin by myself. My need is
    1. add a lync user if it is member of a specific AD group
    2. remove that user if it was removed from that group or if the account was disabled in AD
    so, i wonder a script that runs scheduled and that check who is member of that group... if all accounts in group are present in lync, do nothing (but, if lync account is disabled, remove the account from group)... if any new member in group, so add it on
    lync... and, finally, if there is any account in lync that is not present in group or it has disabled so remove from lync.
    Thanks all!

    There's no management interface for VBscript, you'll need to use PowerShell.  I'd suggest your company standards may need to be updated as everything Microsoft is controlled by PowerShell these days.  If it has to be called from VBScript, you could
    create your enable and disable PowerShell scripts and call them from VBScript
    Dim objShell
    Set objShell = WScript.CreateObject( "WScript.Shell" )
    objShell.Run("""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe c:\scripts\enable_lync_group.ps1""")
    Set objShell = Nothing
    Here's a couple of links that show you how to match users in an AD group to execute Lync PowerShell cmdlets against:
    http://www.lyncfix.com/2014/06/06/bulk-enable-lync-users-by-group-in-one-line/
    http://www.lyncfix.com/2014/07/23/quick-tip-apply-policies-to-lync-users-not-in-a-group/
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications

  • OIM - EBusiness User Management Connector

    Hello there,
    Can anybody please tell me within the Ebusiness connector i.e. provided in 9.1 version connector pack, which one needs to be installed? there are 3 different categories within the same -
    1.) For the User Management connector:
    Oracle EBS User Management 9.1.0.0
    2.) For the User Management with HR Foundation connector:
    Oracle EBS HR Foundation User Management 9.1.0.0
    3.) For the User Management with TCA Foundation connector:
    Oracle EBS TCA Foundation User Management 9.1.0.
    I don't know which one resembles to which operations that OIM can perform. Can anybody please throw some light and explain which connector does what?
    thanks,
    - oidm.

    An FND_USER record represents an Oracle E-Business Suite account. This record is the main component of the account data whose management is enabled by the connector. *(Oracle EBS User Management 9.1.0.0)*
    Depending on your configuration of the target system, there may be other user data components that must be managed by the connector:
    Some applications in Oracle E-Business Suite require a user to have a person record in Oracle E-Business HRMS. *(Oracle EBS HR Foundation User Management 9.1.0.0)*
    These users are either full-time employees of the organization or users (such as contract or part-time employees) who have been provided with access that is similar to the access provided to full-time employees. iExpense is an example of an application that requires users to have person (HRMS) records.
    Some applications in the Oracle E-Business Suite require a user to have a record in Oracle E-Business TCA. *(Oracle EBS TCA Foundation User Management 9.1.0.)*
    Typically, these users are representatives or employees of customers and vendors of your organization. iStore and iProcurement are examples of applications that require users to have TCA records.
    For more info
    http://download.oracle.com/docs/cd/E11223_01/doc.910/e11203/intro.htm#CHDJCHDC
    Thanks
    Suren

  • Using Jackrabbit User Manager programmatically for changing passwords and getting user data.

    I am trying to do a change password request using the Jackrabbit User Manager with the REST URL /system/userManager/user/<username>.changePassword.json.  The problem I am having is that this request requires an oldPwd form param in the request.  The issue is that when I am trying to do this request it is in response to the user selecting "Forgot Password" so our logic has created a random password which we then email to the user so they can use that the next time they want to login.  We need to change that user's password in CRX so they can log in using it next time.  Since they haven't logged in there is no session, NOT the problem.  THE PROBLEMS, I don't know 1. how to use the userManager to get that user's old password, since /system/userManager/user/<username>.json doesn't appear to return the password and 2. if I could get the old password it most certainly will be encoded, some how, so I will need some decoding algorithm to pass it through in order to get the actual password to set as the oldPwd form param to my change password request.  Please let me know if you require any further explanation.  Any assistance would be greatly appreciated.  Thank you, in advance, for your assistance.
    Sincerely,
    Mike Sucena
    [email protected]

    Hi Mike,
    msucena wrote:
    Justin:
    Does your response mean that until version 2.1.2 of Jackrabbit User Manager is released I cannot change the password without knowing the old password?
    No. It means that this feature is not available in version 2.1.0 of the Sling Jackrabbit User Manager bundle. It was added after that release. You have a number of options:
    Build the bundle from source.
    Use one of the SNAPSHOT bundles available from the Apache Snapshots repository.
    Use the release which is being voted upon now (https://repository.apache.org/content/repositories/orgapachesling-175/org/apache/sling/org .apache.sling.jcr.jackrabbit.usermanager/2.2.0/). (Note - we decided to use 2.2.0 as the version number rather than 2.1.2 as originally planned due to the scope of this release).
    Write a different servlet which performs the same actions.
    Meaning that being able to use either the credentials of the "Admin" user or using the credentials of a member of the "UserAdmin" group is not supported in the current released version 2.1.0?
    Correct. It was added after the 2.1.0 release.
      If I currently need the old password is there any Sling REST - Jackrabbit API call I can use in order to get the old password since using /system/userManager/user/<username>.json doesn't appear to return the password?
    -Mike
    The plain text password is not stored. And this should be considered a good thing.
    If you have questions about the development process we follow in Sling (or at Apache as a whole), by all means ask on the Sling users mailing list. It is reasonably well-established and we love to talk about it.

  • OIM 11g - User Management Authorization policy issues

    Hello,
    1) Created an organization -> Human Resource
    2) Created an Role -> HR_Admins
    3) Assigned HR_Admins roles as administrative role of Human Resource organization
    4) Created user1 with organization as Human Resource & Assigned HR_Admins role to this user.
    5) Created authorization policy for user management with following selections
    Permission -> Create User.
    Data Constraints -> Selected "Users that are members of selected Organizations" & selected above Human Resource organization.
    Assignment -> HR_Admins role .
    now when i log into user1 i am not able to see Administration tab where i can select Create user.
    I am working on this issue for couple of days ,but not able to find the solution & have i missed some configurations ?
    Thank-You
    Rahul Shah

    Hi Rahul,
    I have tested your scenarion.. with below clause
    1) Created an organization -> Human Resource
    2) Created an Role -> HR_Admins
    3) Assigned HR_Admins roles as administrative role of Human Resource organization
    4) Created user1 with organization as Human Resource & Assigned HR_Admins role to this user. : default role All Users
    5) Created authorization policy for user management with following selections
    Permission -> Create User. :- *"Select ALL"*
    Data Constraints -> Selected "Users that are members of selected Organizations" & selected above Human Resource organization.
    Assignment -> HR_Admins role .
    In data constraints
    Organization Security Setting     Hierarchy Aware (include all Child Organizations)
    Now I am able to see the create user tab and, I can create user in Human Resource org only.
    If it doesn't work for you. Just assign "REQUEST ADMINISTRATOR" IN AUTH POLICY. Test the result.
    Also what is your OIM version?
    Test it with fresh data like new role name, org and user,
    -kuldeep
    Edited by: Kuldeep on May 22, 2012 4:19 AM

  • Accessing the user management API programmatically

    I am looking for the officially supported method that could be used to access the user management API via "curl" for CRX:
    There is a user management API described here:
    http://sling.apache.org/site/managing-users-and-groups-jackrabbitusermanager.html
    However, executing a command on CRX 2.2 such as:
    curl -u:admin:admin http://localhost:7402/system/userManager/user.tidy.1.json
    Only returns a message indicating that the contents have been redirected (without providing another URL).
    Using the Content Explorer in CRX shows the list of users at: /home/users but I am not sure if a curl command could access the user list via that URL.
    Any pointers on how this could be done are appreciated.  This is for a partner.
    Regards,
    Blair

    I am a co-worker of MorrellJ.  I am trying to do a change password request using the Jackrabbit User Manager with the REST URL /system/userManager/user/<username>.changePassword.json.  The problem I am having is that this request requires an oldPwd form param in the request.  The issue is that when I am trying to do this request it is in response to the user selecting "Forgot Password" so our logic has created a random password which we then email to the user so they can use that the next time they want to login.  We need to change that user's password in CRX so they can log in using it next time.  Since they haven't logged in there is no session, NOT the problem.  THE PROBLEMS, I don't know 1. how to use the userManager to get that user's old password, since /system/userManager/user/<username>.json doesn't appear to return the password and 2. if I could get the old password it most certainly will be encoded, some how, so I will need some decoding algorithm to pass it through in order to get the actual password to set as the oldPwd form param to my change password request.  Please let me know if you require any further explanation.  Any assistance would be greatly appreciated.  Thank you, in advance, for your assistance.
    Sincerely,
    Mike Sucena
    [email protected]

  • OIM 9.1.0 with Database User Management: Connector Exception upon Connect

    Hi,
    I've been struggling with the Database User Management connector (9.0.4) with Sybase, following the steps word-for-word as per the documentation (Oracle® Identity Manager Connector Guide for Database User Manage Release 9.0.4; E10425-0; July 2009).
    When defining the IT Resource through the Install Connector wizard, I get the following when it does a connection test:
    14:51:52,795 ERROR [WEBAPP] Class/Method: CreateITResourceAction/testConnectivityForDataBase/ClassNotFoundException encounter some problems: No ClassLoaders found for: com.sybase.jdbc2.jdbc.SybDriver
    java.lang.ClassNotFoundException: No ClassLoaders found for: com.sybase.jdbc2.jdbc.SybDriver
    even though I've ensured jconn2.jar is in the ThirdParty directory, reflushed the cache, and restarted OIM; the connector still can't seem to load the driver.
    I've tried the database testing script with similar results.
    Any thoughts?
    Cheers
    Simon
    PS: I believe v5.5 of JConnect (as required by the OIM Connector) has been EOL'd and Sybase. They recommend you use v6.0 (v6 is jconn3.jar)), which from what I can see should work as com.sybase.jdbc3.jdbc.SybDriver; I tried that as well but had the same ClassNotFoundException.

    I've fixed it; needed to copy jconn2.jar into the $JBOSS_HOME/lib directory and restart the server.

  • Problem connection in OIM 9.1 with SAP user managment

    Hi!
    When I want to provision a sap user management resource to an user, it appeared this problem.
    2008-07-30 14:50:52,587 INFO [XL_INTG.SAPUSERMANAGEMENT] Create User Request
    2008-07-30 14:50:52,587 INFO [XL_INTG.SAPUSERMANAGEMENT] userId :PRUEBA4803, userGroup:AUDITOR_ARG,lastName:prueba4803,firstName:prueba4803,userTitle:0003,langComm:S,department:,langLogIn:,timeZone:,telephone:,extension:,Fax:,email:,dateFormat:1,decimalNotation:Y,function:,roomNo:,floor:,building:,code:,commType:,alias:,startMenu:000,userType:A,sapUserId:,empId:PRUEBA4803,fromHRMS:
    2008-07-30 14:50:52,587 INFO [XL_INTG.SAPUSERMANAGEMENT] SAP Create Connection Request
    2008-07-30 14:50:52,587 INFO [XL_INTG.SAPUSERMANAGEMENT] Inside XLSAPUTILITIES
    2008-07-30 14:50:52,587 INFO [XL_INTG.SAPUSERMANAGEMENT] SAP Create Connection Requesting****
    2008-07-30 14:50:52,587 INFO [XL_INTG.SAPUSERMANAGEMENT] START SAP Connection creation.
    It is strange because it was working all right since 3 months ago and in these 2 last weeks, it is frequently this problem. Sometimes it works sometimes it does not.
    Of course, I tried the connection between OIM and SAP, with the SAP login, and the connection is all OK.
    My oim vertion is 9.1 and the SAP User Management connector is 9.0.4.1.
    Did anybody have this problem before?
    Bye!

    Oh I forget, when I restart the application server, in my case the jboss, the problem is fixed. Strange...

  • Sap UM connector 9.1.2 trouble with "SAP User Management User Recon" task

    Hello All,
    i have a problem with Sap UM Connector version 9.1.2.
    OIM version 11.1.1.5
    Windows 2008 R2
    Problem is:
    Then accounts in Sap are created through direct provisioning feature of connector everything works ok (subsequent update or delete an account).
    But if a user account is created in Sap using Sap GUI, scheduled task "SAP User Management User Recon" of connector doesn't create reconciliation event to link user.
    Sometimes it does though, but for one user account created using Sap GUI in OIM created two reconciliation events, so corrsponding user in oim have two records for resource SAP.
    In this reconciliation events, one have full set of attributes (Login, First Name, Last Name, E Mail, etc), another one - just these 3 attributes: IT Resource, User ID, Lock.
    "SAP User Management Delete Recon" scheduled task works ok then user account has been deleted using Sap Gui.
    How one can troubleshoot such behavior?
    Can anyone advise please?

    resolved the issue by updating sap um connector to version 9.1.2.5

  • Problem with user management

    Hi,
    hope someone helps me...
    got an application with the Shema LBACSYS ...with this shema i got access with the user htmldb_public_user.
    now i want to create a user (with the user management page from the sample application)
    Creating the user works....i see the user in my database in my users table but i cant login with created username and password.
    further i cant change the password of htmldb_public_user at the user management page ...dunno why ...
    the standard login page ...where does it the data get from ? (username and password or user id) ..i cant find any table or any validation or process like this....
    greetings timo

    Timo,
    All users of your application will use a database session created by the APEX_PUBLIC_USER (or maybe HTMLDB_PUBLIC_USER) database user. Then all code (SQL+PL/SQL) in your application gets parsed as the application's parsing schema, whatever you set that to be. If you have your users authenticate (login) you can create authorization schemes to control which users can do what in the application. Please read the doc and search this forum for "authorization". Also you might find this useful: Re: Priveleges to create procedures/functions in schemas
    Scott

  • I need user management system in PHP recommendations to work with Flex client side

    Hi All,
    I have a very big project that involves PHP server side (That i have to develop) and Flex client side. I was wondering it there is a ready made PHP user management system that i can use to provide me:
    - user login/logout
    - forgot my password functionality
    - register (better with captcha)
    Does someone can recommend this kind of php system?

    Hi, guys
    Free and open source PHP User Management Scripts. These scripts  provide a solution of creating a membership system of a website.
    Some PHP user management scripts listed on PHPKode.com. which you can choose the right php user management to meet your demands!
    Hopefully can help you!
    Best regards!
    Anny

  • Getting Login error while working with User Management

    Hi,
    I am new to EBS and learning to work with 'User Management'.
    I have EBS 11i installed on XP.
    I face following error message when try to open any screen in 'User Management' responsibility...
    *'This type of function cant be performed without logging into E-Business Suite Home Page'....*
    This error is strange for me because i login with SYSADMIN and then choose 'User Management' responsibility.
    Thanks in advance for any helpful hint.
    Regards,
    Sohail.

    Hi,
    I face following error message when try to open any screen in 'User Management' responsibility...
    *'This type of function cant be performed without logging into E-Business Suite Home Page'....*Please mention the navigation path to reproduce the issue.
    Also, please check Apache log files for any errors.
    This error is strange for me because i login with SYSADMIN and then choose 'User Management' responsibility.Please see (How to to Define an Application User That Has All The Priviledges in User Management Responsibility options As SYSADMIN User [ID 378262.1]).
    Thanks,
    Hussein

  • Manage user certificates with UE-V?

    Is it possible to manage user certificates with UE-V?  I wish to store/manage Personal Certificates with UE-V but can't seem to find information about how to achieve this.  Are Roaming Profiles still needed to have user certificates follow users
    or can this be hacked into UE-V.  I tried to create a template which handles the HKCU and User AppData paths which store Certificates but have not been able to get this to work.
    Windows 7/Windows 8 Server 2008R2/Server2012
    Any insight would be appreciated.
    Thanks,
    Mark Ringo

    Hi Mark
    Certificates are currently not supported with UE-V 1.0 / 1.0 SP1. Just saving HKCU keys and the RSA / System Certificate files in APPDATA does not work any more since Windows Vista. You have to use a logon / logoff script which does the trick via Microsoft
    CryptoAPI (Export / Import).
    I have included exampled with Powershell below.
    Cheers
    Michael
    ExportCert.ps1
    # Scriptname: ExportCert.ps1
    # Author: Michael Rüefli
    # Purpose: Export certificates local certificate store (Machine or User) to a PKCS12 file format
    # Version: 1.0.1
    # Fixed Issues / Changes:
    # V 1.0.1 / Fixed Export where no filter has been specified. Changed the autogenerated password strenght
    function ConvertToSid([STRING]$NtAccount)
    $result = (New-Object system.security.principal.NtAccount($NTaccount)).translate([system.security.principal.securityidentifier])
    return $result.value
    #Get the Arguments
    $exportpath = $args[0]
    $certstore = $args[1]
    $issuer_filter = $args[2]
    #Check the Args
    If ($args.count -lt 2)
    Write-host "Too less arguments! Usage: ExportCert.ps1 <exportpath> <certstore> [<filter> optional>" -ForegroundColor red
    write-host "Example: Powershell.exe ExportCert.ps1 H:\Certs CurrentUser DC=LOC" -ForegroundColor blue
    exit
    #Error Handler
    Trap [Exception]{continue}
    #Check Exportpath, if not there create it
    If ((Test-Path -Path $exportpath) -ne $True)
    New-Item -Path $exportpath -ItemType Directory
    #Get certificates in store
    If ($issuer_filter)
    $HKCUCerts = (dir cert:\$certstore\My | ? { $_.Issuer -notmatch $issuer_filter})
    Else
    $HKCUCerts = (dir cert:\$certstore\My)
    #process each certificate
    Foreach ($cert in $HKCUCerts)
    $friendlyname = $cert.FriendlyName
    $type = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx
    $username = $env:USERNAME
    $sid = ConvertToSid $username
    $pass = 'Letmein$$Cert2012'
    $pass_secure = ConvertTo-SecureString -AsPlainText $pass -Force
    $bytes = $cert.export($type, $pass)
    [System.IO.File]::WriteAllBytes("$exportpath\$friendlyname.pfx", $bytes)
    ImportCert.ps1
    # Scriptname: ImportCert.ps1
    # Author: Michael Rüefli
    # Purpose: Import PKCS12 certificates from a file share into local certificate store (Machine or User)
    # Version: 1.0
    # Fixed Issues / Changes:
    # V 1.0.1 / Changed the autogenerated password strenght
    function ConvertToSid([STRING]$NtAccount)
    $result = (New-Object system.security.principal.NtAccount($NTaccount)).translate([system.security.principal.securityidentifier])
    return $result.value
    #Get the Arguments
    $importpath = $args[0]
    $certstore = $args[1]
    #Check the Args
    If ($args.count -lt 2)
    write-host "Too less arguments! Usage: ImportCert.ps1 <importpath> <certstore>" -ForegroundColor red
    write-host "Example: Powershell.exe ImportCert.ps1 H:\Certs CurrentUser" -ForegroundColor blue
    exit
    #Error Handler
    Trap [Exception]{continue}
    function Import-PfxCertificate
    param([String]$certPath,[String]$certRootStore,[String]$certStore,$pfxPass = $null,[String]$KeySet)
    #Error Handler
    Trap [Exception]{continue}
    if ($args[0] -eq "-h")
    Write-Host "usage: Import-509Certificate <Filename>,<certstore>,<cert root>,<keyset> `n `
    Valid certstores: LocalMachine,CurrentUser `n `
    Valid cert root: My,AuthRoot,TrustedPublisher `n `
    Valid Keysets: MachineKeySet,UserKeySet"
    break
    write-host "Importing Certificate: $certPath"
    $pfx = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
    if ($pfxPass -eq $null) {$pfxPass = read-host "Enter the pfx password" -assecurestring}
    $pfx.import($certPath,$pfxPass,"MachineKeySet,Exportable,PersistKeySet")
    $store = new-object System.Security.Cryptography.X509Certificates.X509Store($certStore,$certRootStore)
    $store.open("MaxAllowed")
    $store.add($pfx)
    $store.close()
    $username = $env:USERNAME
    $certs = Get-ChildItem $importpath -Filter "*.pfx"
    Foreach ($item in $certs)
    $item
    $friendlypath = $item.FullName
    $friendlyname = ($item.Name).replace(".pfx","")
    $sid = ConvertToSid $username
    "$friendlyname-$username"
    $pass = 'Letmein$$Cert2012'
    $pass_secure = ConvertTo-SecureString -AsPlainText $pass -Force
    Import-PfxCertificate "$friendlypath" "$certstore" "My" $pass_secure

  • Recovery in R12 with user managed cold backups

    We have R12.1.1 ( db 11.1.0.7 ) on RHEL 5.3 ( ALL SET UP 64 bit ).
    we have user managed cold backup scheduled with tar -czvf command.
    Archiving is enabled. Production server is 2 nodes ( Apps + DB ) .
    Suppose we have backup on hard disk and our Production server ( db is crashed ).
    we will prepare new server copy the backup from Hard disk to new server and run adcfgclone.pl scripts.
    What else do we need to do on this new server to go live ?
    Please reply

    Hi;
    We have R12.1.1 ( db 11.1.0.7 ) on RHEL 5.3 ( ALL SET UP 64 bit ).
    we have user managed cold backup scheduled with tar -czvf command.
    Archiving is enabled. Production server is 2 nodes ( Apps + DB ) .
    Suppose we have backup on hard disk and our Production server ( db is crashed ).
    we will prepare new server copy the backup from Hard disk to new server and run adcfgclone.pl scripts.
    What else do we need to do on this new server to go live ?1. If you run preclone sh before take cold backup than you can go wiht clone process
    2. If you dont run than you can create same user, same mount point on new server and try to relink oracle binary(I assume you have also ORACLE_HOME backup) and try to make up your system
    Regard
    Helios

Maybe you are looking for

  • Satellite A505-S6973 - No sound of my laptop speakers

    I own an A505-S6973 and today i lost volume on my speakers. When i jack in my headphones i get sound but without the headphones plugged in, I get no sound of my laptop speakers. I checked device manager for software problems but everything is cleared

  • How do i copy contacts from one apple id to another?

    how do I copy contacts from one apple id to another?

  • X-FI XtremeMusic + z5500

    X-FI XtremeMusic + z5500@ Hi there, I'm just curious if theres a lot of human beings who are using this system and if so, how your configurated it for the best possible thrill? Myself uses this setup and I'm pleased. Im on Windows 7 32x with 2gb of R

  • Fresh install leaves locked folder at top level (Mac OS X Install Data)

    I jsut did a fresh install.  wanted to use my SL DVD but the MBP i5 refused to star with it so I used the original DVD (10.5) and upgraded with the SL DVD to 10.6.  However after the initial SL Installation, it tried from the SL DVD and this failed. 

  • Hyperlinks broken on iPad

    I have added some hyperlinks to bookmarks and some to figures in my book and they work fine on my iMac but when I preview the book on my iPad they don't work at all. Any advice??