Issue OIm 11 g access policies

Hi all

We have defined the role of 'CommonUsers' and assigned access policies involving the announcement service and Exchange resources. We use the reconciliation of flat file to create users in the IOM, when ever his ends, there is a custom adapter assigns the role of 'CommonUsers', based on certain conditions.

His works well for all new employees, IOM role 'CommonUsers' is the allocation to users and put in service in AD and Exchange.

After the end of the user, the user would be in IOM with the "Disabled" status, AD/Exchange resources such as "Revoked" State (no advertising / Ex accounts) and with the release of the assigned role 'commonUsers '.

Then, his does not work as expected for the status of the user of the IOM incident, REHIRE becomes 'Active' with the 'CommonUsers' role, but the AD and Exchnage resources are not getting put into service. Here, "commonUsers" is up to the user, but the connected/provisioing of role is not started.


Please suggest me.

Thank you.

Grand,
Please mark this thread as answered.
:)
Thank you
Diallo

Tags: Fusion Middleware

Similar Questions

  • ACS 5.2 places of NDG appearing is not in the access policies

    When I add placements under groups of network devices and try again and use them in my access policies that they appear. It just says no: "no data to display. If I try recreate them I get an error "" object that you are trying to create already exists. "." but it is empty. I can run an export and they appear in the CSV file, but they appear not anywhere on the GUI. I deleted the file and re-created with the same result.

    I have searched everywhere for those who have a similar situation but are empty. Any thougts?

    Kind regards

    Andy

    I have memories on the two issues with this:

    If ' there are multiple attributes with the same name as the NDG. For example if you create a user called "Locations" attribute, it can cause problems. Can be resolved by renaming the attribute

    -Can be questions if the word 'system' appears in the name of node NDG

    Not 100% sure for these (disclaimer) but I wanted to mention in the case where he gives some advice

  • Belong to several access policies

    Hello

    I am curious about all other experience with strategies of access maintained by groups and users belonging to several groups and several access policies. Example:

    John Doe belongs to group 1 and group 2

    Order  
    1 AccessPolicyA
      Selected groups: group1
      Blocks access to the URL xyz.com
    2 AccessPolicyB
      Selected group: group2
      Allows access to the URL xyz.com

    The WSA will check all access DOE policies authenticates on? Or he stops and use the first access policy that it can access, in this example AccessPolicyA?

    Hi khadim,.

    WSA uses the concept of up and down to assess access policies so if political access strategy A B and B belongs to the same policy, identities and access, has listed above then WSA will use political access to assess the application.

    Best regards

    Alessandro

  • Pre-population of attribute in the access policies

    Hello

    I have set up users of the IOM to AD based on access policies.

    "In the access policy I have to define the ' name of the Organization" which the usere were created in AD.

    Is it possible to generate the ' generic name organization is based on the attributes of user?

    If so, how?

    Do not put a value in the access policy.  You must generate be it in a Preopopulate plugin on the side of the application, or in your adapter on the process shape to prepopulate.  Through the user key or any other value, make your logic and return the value of key-code of the search for your organization.

    -Kevin

  • User ID no is not prepopulated in our instance form so that access policies

    Hello

    I have an interesting question. I integrate our custom with connector ICF application. I created all the metadata and two pre-populate adapters too. When I create an account manually (requires account) and I send you an empty form pre-populate those adapters work as I expected and filling the user ID and password.

    Also, I created a role and access policy. But when access policies are evaluated and the account must be created, pre-filled is the password and ID no.

    Please, you have an idea what is the problem? How can I solve this problem?

    Thank you

    Milan

    Check the automatic backup and the pop before auto is checked in the process definition

    http://docs.Oracle.com/CD/E21764_01/doc.1111/e14309/promgt.htm

    ~ J

  • Problem with access policies (create several resources)

    I'm having a problem with access policies:

    The first policy must create a resource.
    And the following policies should create childs on the resource.

    The problem here is that when the policies will add the childs, the resource is not configured yet.
    And then each will create a resource but I want just a single resource of the childs.


    When the resource is already deployed, policies to update this resource correctly.

    How can I fix?

    TKS

    Ricardo,

    I had a similar problem. In a post processing Manager, I managed the membership of the user to specific through the removeMemberUser roles and the addMemberUser of the tcGroupOperationsIntf class.
    The last parameter of this method is a Boolean value that, if true, would automatically trigger access by programming strategies in post processing.
    The problem is that there also is an OOTB handler for triggering access rules, so I was basically triggering twice access policies and duplicate resources appear.

    I hope this helps.

    See you soon

  • IOM 9.1.0.2 - question of access policies

    Hi gurus,

    I have a strange behaviour in the characteristics of access policies.

    When users are inactivated in the IOM, they should be removed groups linked to the AP, but groups are still involved and because the AP is triggered again provisioning of resources to users.

    A person faces the question?

    Brgds,
    Carlos

    You must add to your group membership rules active status.

    -Kevin

  • The sub-groups and access policies

    It seems that when I add a user to a subgroup, the access policies of the parent that user Group does not occur. However, the user is added to the parent company of the Group of users
    Can someone please verify this?

    Thank you

    Subgroups does not inherit the access policy of SuperGroup in IOM [ID 815373.1]

    Bug 5985475 :

    Define an event handler after insertion and attach it to Manager data access policies as an object so that when a group is assigned to an access policy, it checks and add its subgroups to the access policy (just the first level as it will recursively the same it keeps adding subgroups). Verify that you have the same event handler attached to the event after removal of the access policy, so that to delete the access of a group policy, all subgroups are also dismissed by the access policy

    Good luck!

  • The issue of logging of access control list name.

    Hello

    I've used ACL for many years and had not too many questions. I am a new client site and a project of Port authentication that we planned on using extanded access control lists to control traffic entirely open to help write the correct ACL for services using the ACL. The issue I have found is using the ACL below-> syslog logging does not show the port number which is exactly what we are after. We have not named ACL extended that record the port number as well.

    Running: Cisco IOS Software, s72033_rp (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2 (33) SXH3a, RELEASE SOFTWARE (fc1)

    IP extended Access-list-example access list

    IP enable any any newspaper
    deny ip any any newspaper

    The log output:

    Mar 22 11:23:46: % s-6-IPACCESSLOGP: the list of access-list-example permit tcp nnn.nnn.nnn.nnn (0)-> xxx.xxx.xxx.xxx (0), 1 packet

    On a normal extended access list, we get this in a log output:

    access-list 120 allow host ip nnn.nnn.nnn.nnn xxx.xxx.xxx.0 0.0.0.7 Journal

    Mar 22 09:31:46: % s-6-IPACCESSLOGP: list 120 permit tcp nnn.nnn.nnn.nnn (3874)-> xxx.xxx.xxx.xxx (5001), 1 packet

    This shows the port numbers - I was wondering what small thing that I missed on logging for what I checked: http://www.cisco.com/web/about/security/intelligence/acl-logging.html and I see that the use of the switch of newspaper should do this because it shows the port numbers in their example.

    I'm sure it'll be something simple but I can't figure it out - I searched all odd Cisco cautions for ACL named which connect to port numbers, but can't find anything easily. Just wondering if anyone else has experienced this.

    Thank you

    Z.

    For the port number appear in the newspapers, you must create the list of access as follows:

    IP extended Access-list-example access list

         permit tcp any gt 0 any gt 0 log
    
     permit udp any gt 0 any gt 0 log
    

    Hope that helps.

  • Access policies are not trigger for AD

    Hello

    I have an automatic supply mechanism based on three components:
    1 - managers postprocess on create and update user IOM
    2 - postprocess adds users to a role, if the user of the IOM is to have access to AD and adds the user to specific roles additional (one for each ad group) based on the information on the profile of the IOM
    3 - access policy are carried out for each specific role and create the AD resource and add groups to the resource.

    This process works very well when the user is created but is not always works while refreshing (but sometimes it does). It seems that sometimes the fair access policy is not triggered.

    I checked and rechecked the process and everything was fine: the fields to the right were envisaged, the process was running and adding the user to specific roles, but later groups were not added to the resource.

    I decided to 'remove' (political access cannot be removed, so I've just configured to be triggered to dummy roles) strategies to access existing and created again exactly as before and it worked... but only for a time. Some time later, the same problem occurred.

    This time, I don't have the patience as well (I have 20 roles and access 20 policies). I me roaming on a printout of group access contract and I just decided to change the shape of resources (adding) and deleted the specific group of commissioning and he still added. It worked... but only for a time. Once again, some time after, the same problem occurred.

    It is a recurring problem... I don't know what is the cause of the problem, I do not understand why the operations I've run temporarily solved the problem and especially, I do not know how to solve this problem permanently.

    Does anyone have the same problem? Any suggestions on how to fix this?

    Thanks in advance.

    Kind regards

    Yes, it's a problem.

    but order 1000 sure a problem. It is used by the IOM. Once you've changed 1005 just make sure that you have restarted the server. Hope you did. But, if not just restart and check it out.

    Otherwise, you can do a work around.

    just for some time to remove this eventhandler for MDS.

    2 - postprocess adds users to a role, if the user of the IOM is to have access to AD and adds the user to specific roles additional (one for each ad group) based on the information on the profile of the IOM

    Create the rule using the rule designer to add over the different group. and update the access policy if necessary.

    Lets see.

    I hope it work

    Kind regards
    Mireille Nayan

    Published by: Zaba Nayan on 18 January 2012 04:29

  • Dynamic access policies - limited ASA 9.4?

    Hello

    Is there a maximum number of DAP supported by ASA 9.4 55XX?

    Cisco recommended a maximum of 100 to 9.1. Is it always true to 9.4?

    Thank you

    Patrick

    Hi Patrick,

    There is no virtual limit for DAP policies, you can create on the SAA depends on more than the material that you are using the ASA rather than the code is running. However, there is a limit to the attributes within each DAP.

    Currently, a maximum of 5000 values/instances can be treated by the attribute in each PAD.
    A syslog is generated when this deadline has passed:
    3 ASA-109035%: exceeded the number maximum (5000) of DAP attribute instances for
    user =

    It may be useful

    -Randy-

  • Accessibility issue 508 in Acrobat; accessibility controls grayed out

    Hi - I have to check the PDF in two different versions of Acrobat.  On my computers, accessbility features work very well.  Then when I went my other office on my laptop, I tried to check the accessbility and all controls of same on the other computer are grayed out.  I'm quite intrigued by this so I do not know if the laptop has a kind of blocking permissions (I do this work for a government agency) or what.

    Here is a screen shot side by side versions of two computers of Acrobat

    acrobat compare.jpg

    Can someone tell me why these controls are grayed out and I have to do to light?  Thank you.

    Hi Michael,

    Is one of the Standard versions (the pictures are a little blurry, I can't say)? Accessibility features are available on Pro.

  • GR 11, 1 IOM material: nested roles and access policies

    Hello

    We have an access policy that fires to assign users to Active Directory. Access policy has the following composition:

    Rule: The user Type is EMP AND Orgname == Company

    Role: Roles of the employees of the company is granted automatically to all users which are evaluated to TRUE for the rule. It works very well.

    Access policy: resource access policy: Active Directory, membership rule: "employees of the company.

    The strategy above works fine. It fires when an employee is hired, and it fires again when an employee leaves. The grant and revoke the resource as expected. Now, we also give the resource for all roles of children "employees of the company. I have create a role called 'cooperative society student', and I attribute it's parents to be "collaborators."


    User1: Role: employee of company
    User2: Role: student cooperative society

    If I look at role: an employee of the company, click the Members tab, I see two members: User1, direct. User2, indirect.

    However, the access policy is not shooting to add User2 to Active Directory. They are a member of the role indirectly, but do not receive the resources assigned to the role.

    Should it? I can do to ensure that members of the role junior/child benefit resources via the access on the role of parent policy?

    Thank you.

    It is the expected behavior. You can update the access policy and add your child group in the list of roles that are allowed to access this policy.

    Kind regards
    GP

  • service groups of access policies

    I have an access policy1, which provides a user with a group in AD function attribute1.
    The I have an another policy2, which supplies several groups for this user based on attribut2.

    When attribut2 changes, another policy (strategie3) comes in to add more groups. I need to know if the previous groups are going to be cancelled in policy2 supply? will just groups be cancelled only supply? I want the user to be always be there and just existing supply cancelled and no new groups put into service.

    THX

    Hello

    For forms of process changes, the policy with the lowest priority gets run the show.

    For child form entries, I suppose that the values are culminitative and will be revoked if you selected "revoke if not apply ' so you should get the behavior you want assuming you have implemented the belonging to the RO group without the parent form.

    Best regards
    / Martin

  • 8.0 Firefox has some issues with Outlook Web Access, when you want to download attach file, it will be automatically saved as attachment.ashx

    You have a solution?

    See [895024/questions/895024]

Maybe you are looking for