User records auto provisioning problem!

My problem is:
I configured a access policy and a group. Upon user created the record is to be provision to OID and the record state is pre-provision.
I can let it go through by manually clicking. How can I let it do this automatically without human operation?
Thanks!

What do you mean by pre-provision ?
I think it is stuck in System Validation
Have you checked Auto Save on Process Defn of this resource. If no then check that and try provisioning again.

Similar Messages

  • Auto provisioning users and send email notification to the users

    I currently have CUCM 10.5 setup to auto register phones and I use Cisco prime provisioning 10.5 to auto provision the users.
    Self provisioning is setup and users can call the IVR number enter the self service ID, which is their DN.
    what I would like to do is send an email notifying  the end user of their setup and how to use their telephony device Example (Self-service ID: 8888, auth code: 3333) is this possible from Prime Provisioning or CUCM.

    Thanks Jamie
    Wishful thinking I guess. It would have been seamless if they added that form of email notification to end users when auto provisioning. Anyways to get around that I used MS word mail merge and used the same spread sheet I used to batch provision the users to send the Self-service ID to the email contacts.

  • OIM - OID (11g) auto-provision thru ldap sync

    Hi,
    I have configured ldap sync. I have following questions
    1. We have created custom attributes in OID and referred to custom object class. Now when I try to create user in OIM, user is auto-provisioned to OID. But the custom attributes in OIM are not getting provisioned to OID (unable to see the custom attributes in user object of OID, unless we refer manually the custom object class). Can any one let me know how to auto-provision the custom attribtues into OID?
    2. When user is auto-provisioned to OID, it is not showing any resource profile details of OID in OIM? Is it the expected behavior? But create, udpate, delete are happening as expected.
    Please let me know if any one know the solution.

    Hi,
    Where you able to achieve this?? i have similar requirment where, i have added 5 custom attributes in both OIM and OID, when i create the users these attributes doesnot get updated on OID....should i add these UDF in any objectclass which OIM understands??please suggest
    Thanks in advance

  • EBusiness Suite User "Auto-provisioning" and  "Self-Request" Problem

    I have two types of OIM User, Staff and Contingent
    Staff (Role = Full-Time)
    Contingent (Role = Contractor / Role = Consultant)
    Resource Object: eBusiness Suite User
    Here's my RO configuration:
    Auto Pre-populate: true
    Allow Multiple: true
    Self Request Allowed: true
    Allow All: true
    Auto-Launch: true
    EBS Connector, by default has two forms:
    UD_EBS_UO: Object Form
    UD_EBS_USER: Process Form
    I have requirement which will auto-provision eBusiness Suite User resource to Staff users.
    Originally, UD_EBS_OU is the table name used by the RO. For auto-provisioning to work, I have implemented it this way:
    First, I have defined a User Group for Staff and assign an Access Policy to it (for users with Role == Full-Time).
    Then, I have detached Object Form UD_EBS_UO from the RO. This way, when Staff user is created in OIM, it is automatically provisioned with eBusiness Suite User, though it won't have a Resource Form, only a Process Form. Process Form fields are automatically pre-populated with values (via my Pre-populate adapters).
    Now my problem is during Self-Request. Contingent user doesn't get auto-provisioned with EBS RO, but he can self-request for it. Problem is, since I detached the Object Form from the RO, user is not seeing any form during request. And I have a requirement that approver of the request should also be able to view/modify the details of the request form. But that is not possible now that Object Form does not exist for this RO.
    Is it possible that Self-Request and Auto-Provisioning works both ways under the same Resource Object? How do I configure that? Appreciate your quick response and help. :)
    Edited by: user10202544 on Feb 10, 2010 3:27 AM

    Yes I have set permissions to all users for the Object Form.
    It is required for me to have both Self Request and Auto-provisioning work for eBusiness Suite RO.
    During approval, however, the approver needs to see the Object Form (where he can view/modify its values before approving it). That's impossible for me since I detached the Object Form from the Resource Object. I need do to this for auto-provisioning to work.
    It seems that it doesn't work both ways. Any other suggestions?

  • CUP Provisions user to SAP successfully but gives "Auto-Provisioning" error

    Hi All,
    I'm getting an "auto-provisioning" error in CUP when a "Change Account" workflow is approved. The strange thing is, CUP does successfully provision the change to the SAP backend. Yet, the "New Account" provisions successfully without the error.
    Here is an example of the audit trail log from Change Account:
    Request submitted for approval by Dylan Hack(HACKDY) on 06/28/2010 17:14 
    Approved By Dylan Hack(HACKDY) Path AE_AUTO_APPROV_ERROR and Stage AE_AUTOPROV_ERR on 06/28/2010 17:14 
       Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
       Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
       Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
       Approved FI_xxxxx-DEV role for Add action with validity dates 06/28/2010-12/31/9999
    Auto provisioned for request on 06/28/2010 17:14 
       User Provisioning failed for System(s) : DEV. Error Message :
       Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
       Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
       Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
       Role: FI_xxxxx assigned to user: testngin in System(s): DEV.
    Request submitted for reroute by system on 06/28/2010 17:14 due to auto provisioning failure 
       Rerouted in the Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR to Path : AE_AUTO_APPROV_ERROR and Stage : AE_AUTOPROV_ERR
    Note: the role names were replaced with "xxxxxxx."
    The system log gives an error, but it is very vague:
    2010-06-28 17:14:34,682 [SAPEngine_Application_Thread[impl:3]_33] ERROR com.virsa.ae.service.ServiceException
    com.virsa.ae.service.ServiceException
         at com.virsa.ae.service.sap.SAPProvisionDAO.intializeWithChangeUserInputParameters(SAPProvisionDAO.java:762)
         at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3457)
         at com.virsa.ae.service.sap.SAPProvisionDAO.changeUser(SAPProvisionDAO.java:3419)
    Any ideas or suggestions?
    Current software level AC5.3 SP12.
    -Dylan

    Hello Varun,
    Thanks for the thought on this. We don't use User Defaults for Change Account, but do for New Account. You question prompted me to do more testing with very interesting results.
    Results
    New Account with User Defaults configured:
    User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
    New Account without User Defaults configured:
    User provisioned successfully, no Auto-Provision error.
    Change Account with User Defaults configured:
    User provisioned successfully, no Auto-Provision error, Defaults NOT provisioned.
    Change Account without User Defaults configured:
    User provisioned successfully, Auto-Provision ERROR, Defaults NOT provisioned.
    In both New and Change Account, the configured User Defaults are NOT provisioned even though the user is provisioned. AC5.3 is on SP12, the RTA is VIRSANH SP12 and VIRSAHR SP10.
    For the Change Account, the user is always provisioned regardless of User Defaults; however, when no User Default is configured, the Auto-Provisioning error occurs. The User Defaults NOT provisioning is a real problem, the CUP error message, I can work around for now.
    What about on your side? Am I the only guy using SP12 here?

  • EBusiness Suite User "Auto-provisioning" with Object Form

    eBusiness Suite User RO has two forms, 1 Object Form and 1 Process Form
    I want to configure access policies to auto-provision EBS RO to OIM users (particularly Staff/Full-time users).
    On the Resource Object configuration, I checked Auto-Save. This enables my Object Form to be automatically saved during auto-provisioning. I have pre-populate adapters attached to my Object form, such that during auto-provisioning the fields are pre-populated based from a user's profile in OIM.
    However, my problem is, my pre-populate adapters always get xelsysadm attributes and not the user's (whom the request is being created for).
    You may ask why I needed the Object Form?? I could have just discard my object form from the Resource Object, and directly populate values in the Process Form.
    However, I have a business requirement, that eBusiness Suite User can also be self-requested for certain users (contractor, contingent) which are not part of the auto-provisioning/access policy. This is why I still needed my Object Form.
    Is there a way that auto-provisioning and self-requests works both ways under one Resource Object?

    Well that's something crucial with OIM request model. AFAIK in such cases the information for requester is populated and since invocation of access policy is through sysadmin so the information of XELSYSADM is populated.
    Rather what I would suggest is that attach these pre-populate adapters to the process form and skip flow of the data from Object->Process form. So your request model remains intact and the information you want to pre-populate is also done. Hope this should work and is viable for you.
    Thanks
    Sunny

  • CUP Auto Provisioning Error 260: User Comparison

    I am in the process of configuring the CUP 5.3 module within our ECC and SRM environments.  I believe the path and associated stages are established properly.  I have tested the auto provisioning functionality within both SRM and ECC.  As it relates to SRM, the auto provisioning functionality works without a hitch.  However, when I attempt to auto provision a user into our ECC environment, I receive the following error:
    Auto provisioned for request on 04/07/2010 13:41 
       New User: T00522 created on 04/07/2010 13:42 in System(s): DR4-300.
       User attributes changed for User : T00522 in System(s) :DR4-300.
       Role Provisioning failed for System(s) : DR4-300. Error Message : 260:User master comparison incomplete; see long text
    Speaking with out security team, the only time they have seen this issue was when they attempted to map a user, using PFCG, to a role.  However, I informed them that CUP uses SU01.  They have not experienced such an issue using SU01 and clicking on the user comparison button. 
    Interesting point:  The user record is created and roles assigned to user but have a red light indicator by the role within SU01.  However, when the next day rolls around the role has been changed to a Green light, profile assigned and everything is looking good.  Unfortunately, CUP can't seem to register this and when the Role Owner attempts to approve the role / user request again.  The same error occurs and until I can get around this error, the workflow is not closed out nor is the requester notifiied.
    Questions:
    (1)  How can I fix this issue, I assume it will require a security change to be made within the ECC environment?
    (2)  If this issue can't be fixed, can I get around this issue with a detour or other CUP error processing step?

    Denoted below is the log that corresponds to the 260 comparison error.  Does anyone know what access I am missing within the UME.  I have tested this provisioning process, manually, and do not run into a Comparison error within the SU01 screens:
    2010-04-27 13:44:54,748 [SAPEngine_Application_Thread[impl:3]_31] ERROR com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text
    com.virsa.ae.service.ServiceException: 260:User master comparison incomplete; see long text
         at com.virsa.ae.service.sap.SAPProvisionDAO.executeRoleOperation(SAPProvisionDAO.java:1706)
         at com.virsa.ae.service.sap.SAPProvisionDAO.assignRoles(SAPProvisionDAO.java:1458)
         at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionInNonCUA(ProvisionSAPUserDAO.java:1232)
         at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionRole(ProvisionSAPUserDAO.java:932)
         at com.virsa.ae.service.sap.ProvisionSAPUserDAO.provisionUser(ProvisionSAPUserDAO.java:118)
         at com.virsa.ae.accessrequests.bo.ProvisioningBO.autoProvision(ProvisioningBO.java:216)
         at com.virsa.ae.accessrequests.bo.RequestBO.autoProvisioningForApprove(RequestBO.java:4572)
         at com.virsa.ae.accessrequests.bo.RequestBO.callAEExitService(RequestBO.java:5565)
         at com.virsa.ae.accessrequests.bo.RequestBO.callExitService(RequestBO.java:5339)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5191)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(AccessController.java:219)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    2010-04-27 13:44:54,927 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.bo.RequestAuditHelper : logMajorAction() :   : intHstId : 3068
    2010-04-27 13:44:54,972 [SAPEngine_Application_Thread[impl:3]_31] ERROR no dtos exist which are in the same state as the passing dto
    com.virsa.ae.core.ObjectNotFoundException: no dtos exist which are in the same state as the passing dto
         at com.virsa.ae.workflow.bo.WorkFlowBOHelper.getIfUnapprovedPathExists(WorkFlowBOHelper.java:2662)
         at com.virsa.ae.workflow.bo.WorkFlowBOHelper.handleWFForNewPathStage(WorkFlowBOHelper.java:2516)
         at com.virsa.ae.workflow.bo.WorkFlowRequestRerouteHelper.rerouteRequest(WorkFlowRequestRerouteHelper.java:68)
         at com.virsa.ae.workflow.bo.WorkFlowBO.rerouteRequest(WorkFlowBO.java:614)
         at com.virsa.ae.accessrequests.bo.RequestBO.rerouteRequestForAutoProvisioningFailure(RequestBO.java:6897)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:5239)
         at com.virsa.ae.accessrequests.bo.RequestBO.approveRequest(RequestBO.java:4984)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.confirmRequestApproval(RequestViewAction.java:941)
         at com.virsa.ae.accessrequests.actions.RequestViewAction.execute(RequestViewAction.java:103)
         at com.virsa.ae.commons.utils.framework.NavigationEngine.execute(NavigationEngine.java:271)
         at com.virsa.ae.commons.utils.framework.servlet.AEFrameworkServlet.service(AEFrameworkServlet.java:431)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:401)
         at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:266)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:386)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:364)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:1039)
         at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:265)
         at com.sap.engine.services.httpserver.server.Client.handle(Client.java:95)
         at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:175)
         at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
         at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
         at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
         at java.security.AccessController.doPrivileged(AccessController.java:219)
         at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:102)
         at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:172)
    2010-04-27 13:44:55,394 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.actions.RequestViewAction : confirmRequestApproval() :   : setting context to true, ending context
    2010-04-27 13:44:55,414 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataForwardDAO : findTransactions() :   : sbQuery : SELECT REQNO, REQPATHID, STAGE_NAME, FWDED_BY, APRVRID, ITERATION, FORWARD_TYPE, STATUS FROM VIRSA_AE_RQD_WPFWD WHERE REQNO = ?
    2010-04-27 13:44:55,486 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.SAPConnectorDAO : findAllActiveSAPConnectors :   :  going to return no of records= 3
    2010-04-27 13:44:55,495 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.OracleAppsConnectorDAO : findAllActiveORACLEConnectors :   :  going to return ImmutableList(empty)
    2010-04-27 13:44:55,498 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.PACSConnectorDAO : findAllActivePACSConnectors :   :  going to return ImmutableList(empty)
    2010-04-27 13:44:55,502 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.WSConnectorDAO : findAllActive :   :  going to return ImmutableList(empty)
    2010-04-27 13:44:55,505 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.ApplicationDAO : findAllForContext :   :  going to return ImmutableList(empty)
    2010-04-27 13:44:55,532 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx)  :   :  going to return ImmutableList(empty)
    2010-04-27 13:44:55,535 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataSODConflictDAO : findAllForContext(SqljContext ctx)  :   :  going to return ImmutableList(empty)
    2010-04-27 13:44:55,540 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.dao.sqlj.RequestDataMitigationDAO : findAllForContext(SqljContext ctx)  :   :  going to return ImmutableList(empty)
    2010-04-27 13:44:55,579 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() :   : INTO the method
    2010-04-27 13:44:55,580 [SAPEngine_Application_Thread[impl:3]_31] INFO  com.virsa.ae.accessrequests.actions.RequestViewAction : pageLoad() :   : request number : 154
    2010-04-27 13:45:14,055 [SAPEngine_Application_Thread[impl:3]_18] INFO  com.virsa.ae.dao.sqlj.RequestTypeDAO : findAll :   :  going to return no of records= 20

  • User provisioning problem from OIM 10g to Siebel CRM

    Hi Team,
    I am facing User provisioning problem from OIM 10g to Siebel CRM.Please find the log details.
    Running Get Attribute Mapping
    Running Siebel Create User
    <com.siebel.common.common.CSSException>
    <Error><ErrorCode>8716601</ErrorCode> <ErrMsg>Socket had incorrect word size: 0.(SBL-JCA-00313)</ErrMsg></Error>
    </com.siebel.common.common.CSSException>
            at com.siebel.om.conmgr.Connection.readPacket(Connection.java:550)
            at com.siebel.om.conmgr.Connection.run(Connection.java:286)
            at java.lang.Thread.run(Thread.java:619)
    [CMGR FATAL] Error: <com.siebel.common.common.CSSException>
    <Error><ErrorCode>8716601</ErrorCode> <ErrMsg>Socket had incorrect word size: 0.(SBL-JCA-00313)</ErrMsg></Error>
    </com.siebel.common.common.CSSException> connection:1
    <com.siebel.common.common.CSSException>
    <Error><ErrorCode>8716601</ErrorCode> <ErrMsg>Socket had incorrect word size: 0.(SBL-JCA-00313)</ErrMsg></Error>
    </com.siebel.common.common.CSSException>
            at com.siebel.om.conmgr.Connection.readPacket(Connection.java:550)
            at com.siebel.om.conmgr.Connection.run(Connection.java:286)
            at java.lang.Thread.run(Thread.java:619)
    [CMGR FATAL] Error: <com.siebel.common.common.CSSException>
    <Error><ErrorCode>8716601</ErrorCode> <ErrMsg>Socket had incorrect word size: 0.(SBL-JCA-00313)</ErrMsg></Error>
    </com.siebel.common.common.CSSException> connection:1ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
    ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],com.thortech.xl.integration.siebel.utils.SiebelConnection : createSiebelConnection() :  Siebel Connection Exception:Could not open a session in 4 attempts. {1}(SBL-JCA-00200)
    ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
    ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
    ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],com.thortech.xl.integration.siebel.proxy.SiebelProxyEmployeeProvisionManager : createSiebelConnection() : BaseException: Siebel Connection JDB Exception: Could not open a session in 4 attempts. {1}(SBL-JCA-00200)
    ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
    ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
    ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],com.thortech.xl.integration.siebel.provision.SiebelUtilEmployeeProvisionManager : createEmployee() : BaseException: Siebel Connection JDB Exception: Could not open a session in 4 attempts. {1}(SBL-JCA-00200)
    ERROR,22 Aug 2013 12:58:27,689,[XL_INTG.SIEBEL],====================================================
    Regards,
    Ravi.

    Hi
    I facing the same error message as yours, using OIM 11g R2
    Are you able solve it ?
    Please share
    Many Thanks !!!

  • Auto-provisioning new users with GRC 10.1

    There is some lack of clarity at my client on auto-provisioning new users into SAP systems with GRC 10.  Here's what they want and I'm telling them they need SAP IdM.
    The client will regularly have upwards of 500 new users on an on-going basis.  These users are approved and created in Active Directory.  The client believes that GRC 10 can now pick up these new users from Active Directory and then go ahead and provision them into ECC and CRM automatically, as soon as they're created, with no further approval required.
    To the best of my knowledge, the easiest way to do this would be for IdM to do this, and have IdM trigger GRC for certain users, and to provision users who fall into this group of 500 users.
    These users are different from regular users, who need to go through the approval workflows.  Regular users will have managers and roles that need approval.  These 500 or so users are approved to be created in the system and don't need to get caught up in the approval workflow.
    Am I wrong in saying that IdM 7.2 is the best way to do this, or am I missing something about what GRC 10 can do?
    Thanks for your help.  I really appreciate it.

    Hi Santosh,
    In AC 10.1, I created one brf plus initiator rule.Although I saved it in GRAC_ACCESS_REQUEST package.Transport button is not available(Not greyed).
    Dis you faced this issue..How to get this change in transport??
    PS:Application are activated.
    Thanks,
    Mamoon

  • Group Membership in User Record

    Problem
    I am trying to figure out how to add a field for users that lists the groups the user belongs too.
    This is for a firewall login situation that expects the AD memberOf attribute for a user.
    I would like the field to auto update when a user is added or removed from a group, but I don't think this is possible.
    *Current Method*
    I am currently trying to modify the apple schema, but am having difficulty because most examples are for an offline or new system. One method that almost worked wiped the entire /etc/openldap/slapd.d/ directory and then did slaptest -v -d 68 -f /etc/openldap/slapd.conf -F /etc/openldap. I tried this, and ldap looses all the stored data(I saved a copy first).
    I also tried to edit the apple schema ldiff file directly. I added member to the apple-user MAY ( ... $ member ) section, but that did not give me an allowable field in Work Group Manager under the User tab. This didn't exactly work either, although I did see the addition in the inspector schema{7}. This was rather exciting, but it didn't enable the member field. Member should be a posix attribute... but I could be totally confused at how the objects work.
    The end result needs to be a list of groups in a field like Member or memberOf for each user. I can enter the groups in by hand, but would rather not since apple should be able to do this for me(wink*).
    *Various Commands*
    - launchctl load /System/Library/LaunchDaemons/org.openldap.slapd.plist
    - slaptest -v -d 68 -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
    - /usr/libexec/slapd -d 99 2> ~/slapdump
    Questions
    - What is the best way to solve this problem in OSX?
    - How can I safely change a schema for the master with a master replica setup?
    - Can Work Group Manager update the schema without giving an error?
    - Once I have the field, how to keep it up to date with the groups?

    You are correct. Each resource has its own Revoke task.
    Consider this simple scenario for an individual resource:
    1. The user select to Revoke the provisioned account.
    2. The revoke process task de-provisions the resource
    3. The Revoke process task resets the flag in the Xellerate User record.
    4 The Resource status is set to Revoked.
    5. The Access Policy Revoke calls the Undo Task for Create user, which is step 1. (This is where I believe the problem starts, since it is already Revoked)
    I would like to figure out how to create this process flow:
    1. The user selects to Revoke the provisioned account.
    2. The Revoke Process Task reset the flag in the Xellerate User record.
    3. The Access Policy Revoke calls the Undo Task for Create user (Which would be a different Process Task than step 1)
    4 The AP Revoke Process task de-provisions the resource
    5. The Resource Status is set to Revoked
    6. Process Complete

  • SP12: CUP: Error for requesttype "change" at auto-provisioning

    Hello,
    We have an error while auto-provisioning a change-request in CUP.
    The request stages can be approved correctly but after the last stage, the request is rerouted to administrator because of escape-route settings. (auto provisioning failures)
    So the audit trail reports an error at auto-provisioning, BUT in the backend-system the user was changed correctly.
    If we now want to approve the request on admin-stage, the error appears again. So we have a closed loop reaction.
    Any ideas?
    Does anybody have the same issue?
    Our client have the same problem with SP12 on the prod.system but in the dev.system (also SP12) we can create the request well.
    Thanks,
    Alexa

    2010-10-15 13:45:54,456 [SAPEngine_Application_Thread[impl:3]_32] DEBUG  ProvisioningBO.java@1794:getProvisioningStatusDTO() : OUT of the method
    2010-10-15 13:45:54,458 [SAPEngine_Application_Thread[impl:3]_32] DEBUG  ProvisioningBO.java@1827:getProvisioningStatusDTO() : OUT of the method
    2010-10-15 13:45:54,458 [SAPEngine_Application_Thread[impl:3]_32] DEBUG com.virsa.ae.accessrequests.bo.ProvisioningBO : autoProvision() :   : listMessagesForSysType,list size=1
    2010-10-15 13:45:54,459 [SAPEngine_Application_Thread[impl:3]_32] DEBUG com.virsa.ae.accessrequests.bo.ProvisioningBO : autoProvision() :   : listMessagesForSysType #0# element:com.virsa.ae.configuration.po.ApplicationLogPO@31cf3f2[userId=GRC_20,emailId=<null>,reqNo=716,system=LS_DI6_300,recDate=10/15/2010,changedBy=AKOLB,logAction=USER CREATE,newValue=GRC_20,description=<null>,error=true,singleMessage=false]
    2010-10-15 13:45:54,461 [SAPEngine_Application_Thread[impl:3]_32] DEBUG  ProvisioningBO.java@248:autoProvision() :  Preparing Provision to SAP ... DONE
    2010-10-15 13:45:54,463 [SAPEngine_Application_Thread[impl:3]_32] DEBUG  ProvisioningBO.java@277:autoProvision() : OUT of the method
    2010-10-15 13:45:54,465 [SAPEngine_Application_Thread[impl:3]_32] WARN   RequestBO.java@5924:autoProvisioningForApprove() : Exception occured during auto provisioning , error messages : [com.virsa.ae.configuration.po.ApplicationLogPO@31cf3f2[userId=GRC_20,emailId=<null>,reqNo=716,system=LS_DI6_300,recDate=10/15/2010,changedBy=AKOLB,logAction=USER CREATE,newValue=GRC_20,description=<null>,error=true,singleMessage=false]]
    2010-10-15 13:45:54,469 [SAPEngine_Application_Thread[impl:3]_32] ERROR  RequestBO.java@6665:approveRequest() : AutoProvisioning Exception, checking if the escape route is enabled
    2010-10-15 13:45:54,478 [SAPEngine_Application_Thread[impl:3]_32] ERROR  RequestBO.java@6681:approveRequest() : AutoProvisioning Exception, escape route is enabled, going for the escape route
    2010-10-15 13:45:54,490 [SAPEngine_Application_Thread[impl:3]_32] DEBUG com.virsa.ae.accessrequests.bo.RequestBO : rerouteRequest() : AKOLB : INTO the method with toPathName : , poRequestDetails : com.virsa.ae.accessrequests.po.RequestDetailsPO@70e31b05[requestForOthers=false,userLookupEnabled=false,userIDFieldEnabled=false,userFirstNameFieldEnabled=false,userLastNameFieldEnabled=false,approverLookupEnabled=false,locationFieldEnabled=false,departmentFieldEnabled=false,emailFieldEnabled=false,telephoneFieldEnabled=false,companyFieldEnabled=false,employeeTypeFieldEnabled=false,managerTelephoneFieldEnabled=false,managerEmailFieldEnabled=false,managerNameFieldEnabled=false,requestorTelephoneFieldEnabled=false,requestorEmailFieldEnabled=false,requestorNameFieldEnabled=false,addRole=false,approveReject=,approveRejects=approveRejects,accessChanged=false,fileAttached=false,reqDataApplProvDTOs={com.virsa.ae.dao.dto.RequestDataApplicationProvisionDTO@46b5291a[reqNo=716,application=LS_DI6_300,provisionAction=ASSIGN_ROLES,userId=GRC_20,roleId=2,isProvisioned=true,isNew=false,LMD=<null>],com.virsa.ae.dao.dto.RequestDataApplicationProvisionDTO@1f9d8e3a[reqNo=716,application=LS_DI6_300,provisionAction=ASSIGN_ROLES,userId=GRC_20,roleId=3,isProvisioned=true,isNew=false,LMD=<null>],com.virsa.ae.dao.dto.RequestDataApplicationProvisionDTO@20e4920d[reqNo=716,application=LS_DI6_300,provisionAction=ASSIGN_ROLES,userId=GRC_20,roleId=4,isProvisioned=true,isNew=false,LMD=<null>]},accntValidationmsgs=[],connectionFailedSystems=,userExistSystems=,userNotExistSystems=,comm_method_type=,cstmFldName=,usersPOList=[com.virsa.ae.accessrequests.po.RequestUserPO

  • Access Enforcer 5.2 - auto-provisioning error

    Hi all,
    i have come across strange quirk in AE 5.2 that is causing my client some issues.  During UAT, a scenario was tested for a new user request with two roles with different role managers.  The results i obtained were as follows:
    1.  Role manager 1 rejects 1st role then role manager 2 approves 2nd role (in that order).  Expected result is that the user is created and the 2nd role is provisioned in the system.  Actual result was that user was created and 2nd role was provisioned in system.  PASS
    2.  Role manager 1 approves 1st role and then role manager 2 rejects 2nd role (in that order).  Expected result is that the user is created and the 1st role is provisioned in the system.  Actual result was that the request was closed and no auto provisioning was done.  FAIL
    For some reason, AE is only picking up the last approval/rejection when deciding whether to auto-provision or not.  So when the last role manager rejects their role that was requested, AE closes the entire request and does not provision other roles in the request even though they were already approved.  If the last role manager approves their role that was requested, AE will provision access according to the roles that were previously approved/rejected.
    This does not occur for multiple roles that have the same role manager, as they are able to reject some roles and approve others without any problems with the provisioning.  Config is set up so that the role manager stage approvals are at the role level, and approval type is "all approvers".  We have also configured auto-provisioning type as "Auto provision at end of request" and provision effective immediately as "Yes".
    Any ideas what is going on?
    Thanks,
    Alexi

    Hi all,
    i've tried to resolve this issue by changing the configuration, however this has not resolved it.  I've attached the audit log of two requests for the same roles, only difference is the order of the role approvals.  In request 226, the first role manager approved their role and the second role manager rejected their role and AE did not auto-provision the approved role (the whole request appears to be rejected). 
    Request 226 Submitted by Alexi Tsafos(k01232) on 07/30/2008 15:44 
       YBC:ROLE_921-QAS Role Added
       YBC:ROLE_922-QAS Role Added
       ZU:COMMON-QAS Default Role Added By system
       Request submitted for approval by Alexi Tsafos(K01232) on 07/30/2008 15:44 
      Approved By Alexi Tsafos(K01232) Path ERP_NEW and Stage LINE_MANAGER on 07/30/2008 15:44 
       ZU:COMMON-QAS Role Approved
       YBC:ROLE_921-QAS Role Approved
       YBC:ROLE_922-QAS Role Approved
       Request submitted for role level approval by Carmen Richardson(K01231) on 07/30/2008 15:45 
      Approved By Carmen Richardson(K01231) Path ERP_NEW and Stage ROLE_MANAGER on 07/30/2008 15:45 
       YBC:ROLE_922-QAS Role Approved
       Request submitted for role level rejection by Alexi Tsafos(K01232) on 07/30/2008 15:45 
      Rejected By Alexi Tsafos(K01232) Path ERP_NEW and Stage ROLE_MANAGER on 07/30/2008 15:45 
       YBC:ROLE_921-QAS Role Rejected
       Request Closed By Alexi Tsafos(K01232) on 07/30/2008 15:45 
       Auto provisioned for request on 07/30/2008 15:45 
    In request 227, the first role manager rejected their role and the second role manager approved their role and AE auto-provisioned the approved role. 
    Request 227 Submitted by Alexi Tsafos(k01232) on 07/30/2008 15:50 
       YBC:ROLE_921-QAS Role Added
       YBC:ROLE_922-QAS Role Added
       ZU:COMMON-QAS Default Role Added By system
       Request submitted for approval by Alexi Tsafos(K01232) on 07/30/2008 15:50 
      Approved By Alexi Tsafos(K01232) Path ERP_NEW and Stage LINE_MANAGER on 07/30/2008 15:50 
       ZU:COMMON-QAS Role Approved
       YBC:ROLE_921-QAS Role Approved
       YBC:ROLE_922-QAS Role Approved
       Request submitted for role level rejection by Carmen Richardson(K01231) on 07/30/2008 15:50 
      Rejected By Carmen Richardson(K01231) Path ERP_NEW and Stage ROLE_MANAGER on 07/30/2008 15:50 
       YBC:ROLE_922-QAS Role Rejected
       Request submitted for role level approval by Alexi Tsafos(K01232) on 07/30/2008 15:50 
      Approved By Alexi Tsafos(K01232) Path ERP_NEW and Stage ROLE_MANAGER on 07/30/2008 15:50 
       YBC:ROLE_921-QAS Role Approved
      Auto provisioned for request on 07/30/2008 15:50 
       New User: AETEST20 created on 07/30/2008 15:50 in System(s): QAS.
       Role: ZU:COMMON assigned to user: AETEST20 in System(s): QAS.
       Role: YBC:ROLE_921 assigned to user: AETEST20 in System(s): QAS.
       Request Closed By Alexi Tsafos(K01232) on 07/30/2008 15:50 
    As described in an earlier post, the stage config is set for "role" level approval by "any approver".  I've also tried "role" level approval by "All approvers" and have the same problem. 
    Any ideas?
    Thanks,
    Alexi

  • GRC CUP 5.3 Auto provisioning Error

    Hello All,
    This issue is occurring in development system of GRC and works as expected in Quality systems.
    Development system of CUP Jco's connected to the development ABAP stack and
    Quality Systems of Cup Jco's connected to the QA ABAP stack .
    All the parameters and the configuration are the same in Dev and QA.
    Now the problem we have is at the last approval stage in the workflow after the approver approves the request (Create/Change) It is erroring out in Auto Provisioning stage with the below message :
    Error provisioning your request. Request no: 75. Error occurred in the system(s) : n/a, error details :
    DEVL1120-TEST_A-USER CREATE-Password is not long enough (minimum length: 10 characters)
    DEVL2120-TEST_A-USER CREATE-Password is not long enough (minimum length: 10 characters)
    If the same approvers goes back into the request and re-approves the Autoprovisioning is completed and the request is closed. For every last approver the first time he tries to approve the message he gets the above errors in development and does not receive the same error in QA.
    The password parameters in the ABAP stack and the Portal Security config are same in DEV and QA. I am not sure if I am missing any information. Any suggestion/Help is appreciated.
    Angara

    Raghu Thanks for your response. Yes I checked all the login parameters in both QA & DEV and compared to those that were user defined Vs Default they were the same with no difference. yet the problem occured in Development system.
    I finally figured out the issue and the surprising part was the error that was issued during auto provisioning is very misleading.
    Our Security team had prototyped CUA and connected to the same development client CUP was connected and forgot to remove the child system from the CUA after their demo was complete.
    By utilizing Debug log mechanisim, it showed the error as BAPI that is used by CUP to create the user was failing due to CUA locking the client with no ability to create the users in child system directly , The error displayed had no connection to the password lenght.
    Thank you all my issue has been resolved and back in business.
    Best Regards,
    Angara Rao

  • SP12: Auto-provisioning failed for role with action "keep"

    Hi,
    If you want to keep an exisiting role for a user in CUP. It wasn't possible to change the validity of the role. Therefor you have to set parameter 145 value to 1 in database table VIRSA_AE_ERMCONFIG and refresh cache in CUP(solution with SP11).
    But know we have problemes with the auto-provisioning.
    We can enter the other validity of the role and after that the request provisioning failed. In our workflow the request rerouted to the admin because of escape-route settings. All other new roles in the request are assigned well to the user in the backend system.
    Any ideas?
    Many thanks,
    Alexa

    Hi,
    we actually have the same Problem, that changes to the role validity with action "keep" are not provisioned to the SAP system.
    If it is only possible to change the validity with the action "add" it is not possible to limit the validity of a previously unlimited role. Because as you said another role with the new validity dates is simply added to the existing roles.
    The only workaround would be to delete the old role and add a new one with new validity dates. But in my opinion this workaround is not acceptable for the users.
    Best Regards
    Jonas

  • CUP auto provision to position

    Hello Experts
    I hope you can help me on this issue. We have just implemented CUP (SP14) and have set up auto provisioning, indiirect to a position.
    Despite this CUP is provisioning all requests directly to the User ID. There are no error messages to indicate that provisioning to the position has failed or even if it has been attempted. All back end funtionality is standard and working when tested manually. The CUP logs are not showing anything that I can decipher. It is as if the auto provision configuration indirect to the position is being ignored.
    Any ideas what could cause this behaviour?
    Thanks
    Barry

    Hi Jwalant
    Thanks very much for the reply,
    I am using SAPHR as the data source and for authentication. However we only want the user id to authenticate.
    Auto provisioning is set to indirect with position for Global and by System and I have tried Provisioning at end of request and at end of each path. This should work without using the personnel number in the authentication shouldn't it?
    The users Hr information is being pulled into the request without problem. It seems that CUP is making no effort to provision to the position, it just does it to the user every time.
    Any ideas?
    Thanks
    Barry

Maybe you are looking for