Approval of IOM / provision of workflow

Hi all
I have a question regarding the approval of IOM / provision of workflow.

Application of X (e.g. Active Directory) has an OOTB connector which can available to the user and manage its role in enforcement. The user can trigger the request for change of role through the console of administration of IOM.

My query - Can I configure access policy/user group for the creation of a database the X application user identity. This will create identities of user for all users in application X without roles. Later user must be able to pray for roles and approval, to update its role in the X application.

Can this scenario can be implemented with any connector OOTB, with supply and role workflow approval in place. Do you not see any complexity in the present. Please provide your comments.

The van of provisioning core can be done using access policies.

If you want to that role management application in pre OIM 11 g, you will need to do more custom ROs. There are two ways to do this.

The best way to do is to combine the approaches in these two messages and create a custom RO that moves the user to a group of IOM which has an access policy attached which manipulates the child table on the base target RO system.

http://iamreflections.blogspot.com/2010/09/OIM-HOWTO-one-resource-object-per.html
http://iamreflections.blogspot.com/2010/09/OIM-HOWTO-target-system-group.html

Please take a look and see if it's understandable. I should probably write another entry that deals with this specific use case.
/ Martin

Tags: Fusion Middleware

Similar Questions

Approval of IOM - behavior
Hi experts,

IOM 9.1.0.2
I have the following situation (development environment):

I made the request to a resource for 3 users (they have different managers).
I set the approval workflow for the resource, where the first step is attributed to the demand for the target user manager.
I realized that generated a unique request ID and the approval request has been sent to only a user's Manager. After the approval of the Manager of all the users have been configured for the resource.

Should not the IOM send approval for each manager request?

Any help, it will be very appreciated.

TiA,
Carlos
IOM sees a single application as a single unit to operate in the approval workflow.

If you need transport to the User Manager, you cannot have multiple users in a single query.

Best regards
/ Martin

Dynamically determine the level of approval of IOM
Hi all

I have a requirement that the trust level must be determined dynamically based on the requested resource. We have two levels of approval (first and second) and my client wants a second level of authorization only for some resources and these details defined in a csv file. for example, (resource1, first_app, second_app). So if the file contains data of level approver second then 2nd level is necessary in addition is not necessary. The second level approval task should also be initiated once the first level approver approves the request.

for example, when the user requests a resource, demand should go to the first level approvar. Once the first level approver approves the request, it must validate if second level approval is required or not for the requested resource. If necessary, and then in the second row in the case otherwise it must develop the resource to the user. It is possible to do so in the IOM?

I created the task 3, the first is for the approval of first level (unconditonal). Second task is for the (conditional) second level approval and I created another (conditional) task is just to confirm that the second level approval is required or not. With this task have attached an adapter and passing the resource being requested as an argmuent according to the data of the object, this adapter calls a java and will return TRUE if second level required or FALSE if not unnecessary.

FIRST LEVEL - Response Tab - to approve - I to Generate Task - task IS SECOND LEVEL mpped.
-SECOND LEVEL response Tab - for REAL - to Generate Task - I've mapped SECOND LEVEL task (condition C).
IS the SECOND LEVEL - response Tab - for FALSE - Task to Generate - nothing (State R).

If FALSE is returned IS SECOND LEVEL approval ends by rejected. If SECOND LEVEL IS returns TRUE it immediately execute the procurement process and then assigns the request to the SECOND LEVEL approver. Am I missing something?

Can you suggest me how to deal with this?

Thanks in advance,
INIYA
Hey the bottom only I can see with that is already written there.

IS the SECOND LEVEL - response Tab - for FALSE - Task to Generate - nothing (State R).

If you have set with the status of the 'FALSE' answer you reject your task, and if you reject your task then your approval is complete. You need to change here is just to change the status of 'C' that will allow your workflow know that now there is no second level required and the approval is completed.

I think that you will not be able to change the answer to 'C' for this, because you have already used this 'task response' for certain tasks. What you can do for it is.
(1) Eitgher go and update the database for this mapping.
(2) send another answer to the file instead of FALSE. Send for example number and then mark it as finished - 'C '.

You need to do.

Thank you

Sunny

Form customization target IOM Provisioning

Hello guys,.
I use OIM 11 g R2 (with BP14) and joined the IOM to Active Directory.
Primary AD ACC provisioning is automated by code Java API and secondary account AD are always created manually (direct commissioning of the user interface by using the instance of the application).
Now we want that if the user creates secondary VAC (for AD Application instance is added to the cart and following form of screen opens to add details) then open the form name of Organization (search field) is filled with default values.
How can we achieve this feature?
1: Options that I can think of is to create sandbox and add some expressions for this field. In what field we must add this expression to check if ACC is secondary and fill in the name of the organization with the default?
Only 2: Is there another approach better?
Thank you
Puneet

To add an adapter in the form of process ad prepopualte would be better, then adding EL expression.

The prepoluate adapter, you can implement the logic to determine if already a main account has been placed in service, and accordingly to pre-populate with the default value.

Expression of the AddIn would you can deploy custom managed bean and also whenever you create a new instance of application form this expression must be entered again.

Show only approved documents / published in a workflow

Hello
According to my use case, after the download of a document at the University Complutense of MADRID, he goes into a workflow.
I want to display documents that after the document status 'released' (i.e.) only after the document is approved.
I am not able to find by using the metadata 'Status' field because it is not queryable.
Please suggest a possible workaround solution.

You can use any search service with CRMI and items in a workflow will not be included.

You can view a tutorial at https://drive.google.com/file/d/0B0NLbq1MqaEQSlcyVGxQLVdOQzg/edit?usp=sharing

Policies for approval 11g IOM - approval rule to check the Connection Manager
Hello

I have a requirement in which if the applicant of a resource is a Manager, while demand should automatically be approved. However if the applicant is one person other than the owner, then it should be assigned to the Manager for approval. Is it possible to do this verification in the approval rule?

My idea was to create two trust policies for the same resource with a single policy with auto approve activated if the connection applicant is same as connection of eating of the beneficiary and other policies with the default approval process BeneficiaryManager if the connection of the applicant is different from the connection of the beneficiary. I don't know if the approval rule can be configured to check these values during execution.

Any kind of help/suggestion is greatly appreciated.

Concerning
Deepa
To do this, you change the task of bpel and specify the condition to jump for the task. In the rule to jump, you must specify if the applicant is responsible for the user (the two values that you get in the payload). Set it up this way auto approve request to the Manager.
Also be sure to affect the outcome of the BPEL task of condition of approval so that IOM does not wait for the State.

HTH,
BB

Published by: bbagaria on Sep 9, 2011 05:36

Dynamic approval for a single Application Workflow
Hello

My Requirment is based on the values selected by the user in the form of resource radio button, the approval workflow should be decided.

For example. If I click on 'NO' then it is single approval level. (see task 13).
If I click 'Yes', then it is two level approval. (having more than 13 tasks).

Can I create two approval workflow and map it accordingly? Or in a single approval workflow, I have all the tasks and skip a part as accordingly?

How to get there?

Thank you
Prashanth.
You can manage this in a workflow approval unique itself.

Create a task that will read the value of the form object

If yes-> redirect approval workflow for the second task

If no.-> redirect Worlflow approval to other tasks

http://rajivdewan.blogspot.com/2010/07/multilevel-approval-workflow-in-Oracle.html

IOM Provisioning - OID Create User fails with a weird error
Hello

I have the auto layout installation service using access policies, the user is to created in IOM, then he's trying to delivery to the OID.

I get the following error while trying to create the user in the OID. The "Create a user" task is rejected status with the error "Could not create user".

DEBUG, December 6, 2010 14:07:33, 573, [XL_INTG. OID], com.thortech.XL.Integration.OID.tcUtilOIDUserOperations: getMultiValues(): COMPLETED
DEBUG, December 6, 2010 14:07:33, 574, [XL_INTG. OID], com.thortech.XL.Integration.OID.tcUtilOIDUserOperations: escapeCharactersDN(): STARTED
ERROR, December 6, 2010 14:07:33, 575, [XL_INTG. OID],====================================================
ERROR, December 6, 2010 14:07:33, 575, [XL_INTG. OID,] ERROR in com.thortech.xl.integration.OID.tcUtilOIDUserOperations:createUser(S,S,S,S,S) generic Exception Exception:
ERROR, December 6, 2010 14:07:33, 575, [XL_INTG. OID],====================================================

ERROR, December 6, 2010 14:07:33, 575, [XL_INTG. OID],====================================================
ERROR, December 6, 2010 14:07:33, 575, [XL_INTG. OID],
ERROR, December 6, 2010 14:07:33, 575, [XL_INTG. OID],====================================================

DEBUG, December 6, 2010 14:07:33, 575, [XL_INTG. Election of OID], com.thortech.XL.Integration.OID.tcUtilOIDUserOperations:createUser(S,S,S,S,S) with the code: USER_CREATION_FAILED
DEBUG, December 6, 2010 14:07:33, 575, [XL_INTG. OID], com.thortech.XL.Integration.OID.tcUtilOIDUserOperations: disconnectLDAP(): STARTED

I mentioned the following post:

IOM - OID Direct Provisioning of users newly created via the err access policy

Mistakes are similar, but it seems that in my case the container DN is updated using the adapters to prepopulate.

Any ideas to fix it?

Concerning
Vijay Colin
I would recommend to sniff the connection (http://iamreflections.blogspot.com/2010/08/how-i-learned-to-stop-worring-and-love.html) or decompile the connector.

Newspapers are not very useful.

Best regards
/ Martin

IOM - provisioning not permitted after the cancellation date is defined
Hello
For reconciliations target AD, we see certain events having the status of "Received event". In the reconciliation Manager when we re - apply the matching rules for this we get an error that "Provisioning not permitted after the date of cancellation. When I checked the user of the IOM, the user has both cancellation date and supply cancelled the value of past dates.

The thing is that somebody has re-created manually these AD accounts, after the user is finished (after the date of provisions). The above error is specified because of the "deprovisionin date" or "date cancelled supply? Which one should I remove? Form IOM to the user, the date deprovisioned seems to be a single playing field and I can't delete the value.

Thank you
Is due to the cancellation date and cancelled supply date is set automatically takes its value from the cancellation date.

For your confusion:

Just create a user in IOM and give a date of cancellation as the current date. Now, try to provide any resources it then it will show you the same error you get

"* Commissioning is not allowed after the cancellation date is passed."

Published by: Rajiv Dewan

IOM-> provisioning OID how to kill formatOrgDN?
Hello friends,

a few lines in the journal in IOM:

XL_INTG. -> OID OID:tcUtilLDAPOperations ~ ~ ~ leaving GetExtension() dc = company, dc = com ~ ~ ~
XL_INTG. OID is the initial pContainerDN: cn = Users
XL_INTG. OID tcUtilOIDUserOperations-> formatOrgDN (s) of entry
XL_INTG. OID tcUtilOIDUserOperations-> settings
XL_INTG. -> OID tcUtilOIDUserOperations [pOrgDNcn = Users
XL_INTG. TcUtilOIDUserOperations-> pRootDNdc OID = company, dc = com]
XL_INTG. -> OID OID:tcUtilLDAPOperations ~ ~ ~ incoming GetExtension() with OU = users ~ ~ ~
XL_INTG. -> OID OID:tcUtilLDAPOperations ~ ~ ~ leaving GetExtension() or = Users, dc = company, dc = com ~ ~ ~

so formatOrgDN changes orgDN of cn = Users in OU = Users.

Maybe someone can help me, wherever I can disable this formatting?

IOM 9.1.0.0
The OID connector: 9.0.4.1

Thank you!
Check put configuration resource root dn for your identities, then searh in the research of AttrName.Prov.Map.OID change ldapOrgDNPrefix with your entry name and
ldapOrgUnitObjectClass for your organization ldap class

Cannot open Workflow rules of approval in OIM 11 g R2 PS3

Hi all

When I clicked on workflow-> screen sysadmin IOM approval button, empty page is opened.

When I open the newspapers with Trace: 32, diagnostic log file a below the error log.

You have an idea about this error?

How can I solve this problem?

------------------

[2016 02-04 T 15: 20:26.672 + 02:00] [WLS_OIM1] [TRACE] [] [oracle.adf.share.ADFContext] [tid: [ASSETS].] [ExecuteThread: '19' to the queue: "(self-adjusting) weblogic.kernel.Default"] [username: xelsysadm] [ecid: 986ee303cfcde60f:4d7a1bd9:152a60fcce3:-8000-000000000000da49, 0] [APP: oracle.iam.console.identity.sysadmin.ear #V2.0] [IDDM: 0000LAgF6St4ykW_Px ^ Ayd1MgQs700000C] [SRC_CLASS: oracle.adf.share.ADFContext] [SRC_METHOD: getADFFacesViewScopeMap] oracle.adf.view.rich.context.AdfFacesContext allows for the ViewScope

[2016 02-04 T 15: 20:26.675 + 02:00] [WLS_OIM1] [TRACK: 32] [] [oracle.adf.share.ADFContext.allocationLogger] [tid: [ASSETS].] [ExecuteThread: '19' for queue: "(self-adjusting) weblogic.kernel.Default"] [userId: xelsysadm] [ecid: 986ee303cfcde60f:4d7a1bd9:152a60fcce3:-8000-000000000000da49, 0] [APP: oracle.iam.console.identity.sysadmin.ear #V2.0] [IDDM: 0000LAgF6St4ykW_Px ^ Ayd1MgQs700000C] [SRC_CLASS: oracle.adf.share.ADFContext] [SRC_METHOD: logDiagnosticsInternal] > > recorder invoked distribution: BUFFER EXCEEDED, STARTING OVER [[] memory ALLOCATION

The value of Count = 1 Delete Count = 1

> > Distribution batteries:

> > > > The value ADFContext:

External context:

[Context: ServletContext@1995135651[app:oracle.iam.console.identity.sysadmin.ear module: sysadmin path: / sysadmin spec-version: 2.5 version: V2.0]

Request: weblogic.servlet.internal.RequestEventsFilter$EventsRequestWrapper@2d1c4351

Discussion: Thread [[ACTIVE] ExecuteThread: '19' for queue: "(self-adjusting) weblogic.kernel.Default", 5, pooled discussions]

java.lang.Thread.getStackTrace(Thread.java:1589)

oracle.adf.share.ADFContext.storeAllocationStack(ADFContext.java:1523)

oracle.adf.share.ADFContext.setAsCurrent(ADFContext.java:1463)

oracle.adf.share.http.ServletADFContext.initialize(ServletADFContext.java:470)

oracle.adf.share.http.ServletADFContext.initThreadContext(ServletADFContext.java:420)

oracle.adf.view.page.editor.webapp.WebCenterComposerFilter.doFilter(WebCenterComposerFilter.java:88)

weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:133)

org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$ FilterListChain.doFilter (TrinidadFilterImpl.java:478)

oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)

org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$ FilterListChain.doFilter (TrinidadFilterImpl.java:478)

org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:303)

org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:208)

org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)

weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

oracle.iam.ui.platform.servletfilter.IdentityContextFilter.doFilter(IdentityContextFilter.java:52)

weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:180)

weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

oracle.iam.ui.platform.view.authz.filter.AdvancedConsoleAccessFilter.doFilter(AdvancedConsoleAccessFilter.java:127)

weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

oracle.iam.ui.platform.servletfilter.OIMRedirectValidatorFilter.doFilter(OIMRedirectValidatorFilter.java:139)

weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

oracle.security.jps.ee.http.JpsAbsFilter$ 1.run(JpsAbsFilter.java:138)

java.security.AccessController.doPrivileged (Native Method)

oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:324)

oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:464)

oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:121)

oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:211)

oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)

weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

oracle.security.wls.filter.SSOSessionSynchronizationFilter.doFilter(SSOSessionSynchronizationFilter.java:422)

weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:163)

weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)

weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.wrapRun (WebAppServletContext.java:3730)

weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.run (WebAppServletContext.java:3696)

weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)

weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)

weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)

weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)

weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)

weblogic.work.SelfTuningWorkManagerImpl$ WorkAdapterImpl.run (SelfTuningWorkManagerImpl.java:545)

weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)

weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

> > > > Reset the ADFContext:

Discussion: Thread [[ACTIVE] ExecuteThread: '19' for queue: "(self-adjusting) weblogic.kernel.Default", 5, pooled discussions]

java.lang.Thread.getStackTrace(Thread.java:1589)

oracle.adf.share.ADFContext.storeAllocationStack(ADFContext.java:1523)

oracle.adf.share.ADFContext.removeAsCurrent(ADFContext.java:1500)

oracle.adf.share.http.ServletADFContext.removeAsCurrent(ServletADFContext.java:674)

oracle.adf.share.http.ServletADFContext.resetThreadContextScopes(ServletADFContext.java:669)

oracle.adf.share.http.ServletADFContext.resetThreadContext(ServletADFContext.java:629)

oracle.adf.view.page.editor.webapp.WebCenterComposerFilter.doFilter(WebCenterComposerFilter.java:160)