Provisioning of users of automated Seggregate using Access Policy-Diff groups/Org

Hello

By default, users created in IOM - via GTC / via self-registration / via administrator - they all are assigned to the "All Users" group Can we assign these users to another group, defined by the user, for example "trialgroup", default and Unassign the group "All Users". If so, how can we do?

This issue is related to another question of mine:

I want to avoid all the users that are created in the IOM system - to be all together put in service to a single IT resource in my case OID directly via the access policy that can be applied to each group. I want to keep the system extensible for future purposes. And the only way is to the provision of resources direct seggregate via access through different 'groups' strategy. So the solution I could think about was to assign all users who are currently created (via GTC and via the load mass in IOM) to a separate group and assign a policy of access to the group so that in the future if another resource comes into picture then the system can be extended by creating more groups and design of individual to separate for the same access policies.

Is it makes sense?

Please provide your inputs! Advice/suggestions/ideas are welcome.

TIA,
-oidm.

I'm actually not sure, what you want to achieve form the content of this post. If you mean that you don't want each user to IOM to be configured in OID automatically via the access policy, then I suppose that in this case you aplly the ALL_USERS group access strategy.

Well I miss the flow of your question, but here's what you can based on my understanding:

(1) forget the ALL_USERS group. We cannot do anything about it. Any created user will be a part of this group, and you cannot delete a user in this group.
(2) instead of what you can do is create another group, such as trialgroup and all users a member of this group as well. It would be simple to do. See the next step. Use the addMemberUser() of addMemberUser interface API.
(3) create an adapter of the entity with an added javatask, which takes a username entry and assigns this user to this group (trialgroup) in the use of the IOM above API. Mount this adaptation for the trigger for insertion after the Manager of data objects "users." (He also has an other entity ootb adapter that adds all users to the Group of ALL_USERS).

(4) attach your strategy of access to this group.
(5) now you are also free to expand your system by creating more groups and access policies. It shouldn't be a problem.

Thank you

Sunny

Tags: Fusion Middleware

Similar Questions

  • Access Policy Update or Revoke AD does not

    Hello

    Problem:

    I'm automating the AD Provisioning user via the IOM access policy. I am able to provision users in AD, but the user is not visible in the "resources" tab. If something is updated the IOM attributes and are not transfer of IOM to your user AD process. If I removed the user role, the user was not revoked the pub.

    Configuration:

    I created the following task to automate the configuration of the user. They are

    (1) rule
    Name: All users of the AD
    Rule criteria: user login! = NULL

    (2) role

    Name: AD role
    Member ship rule: all users of the AD

    (3) access policy:

    Access policy information

    Name of access policy: access AD policy
    Access Policy Description: Access AD policy
    With approval: No.
    Renovation of access policy: Yes
    Priority: 1

    Resources to be put in service by this access policy

    Name of the resource: AD user
    Revoke resource and entitlement (s) If is no longer applies: checked
    Forms of process: AD user details
    User AD form details are fed by pre-fill adapter in create and change < FieldName > fill in update operation.

    Role
    Name: AD role

    I could not see any error in the log of AD connector file.

    What I want to do something outside of politics to access AD to view resources in the resource TAB and also update the attributes of the user (process of change tasks are configured) and Revoke.


    Help is greatly appreciated.

    What do you mean by this statement:

    But the user is not visible in the "resources" tab

    Do you mean that when you go to resource a user profile, then you can not see that AD user is provisioned to this user?

    Check the checkbox "Auto Save" on "AD User" process Defintion
    Add a user in this role explicitly in this role/group

    Resources to be put in service by this access policy

    I hope you give values for AD server and the name of the Organization in the form of courses in this section.
    Allow the newspapers as well as user AD spots are called or not

    And

    To send the attributes changed to AD, you create corresponding tasks such as change of name, change last name etc in the defintion of user AD process and made its entry in the search for relaxation?
    If yes then it will work only when you see AD user configured/active status in the profile of the user of resources

    Let me know the results

  • Automatic provisioning using the access policy

    Hi all

    I have a resource I would have auto-mis in service to any user who meets the following criteria.

    1 UDF1 is a specific value.
    2 UDF2 contains a value.

    The only way I know how to do automatic provisioning uses an access that is associated with a group policy. And this group is automatically filled for members using one or more rules. However, I see a limitation with the rules that does not allow my second criteria. You can't have a rule where the value has a wild card. There is no work around for this?

    Thank you!

    Three options:

    1 adapter entity that affects the UDF 3rd in a value such as "UDF2 is empty. Change group membership rule to use 3rd UDF.
    2. switch to update the database tables where the rules are stored. Not recommended... but you can get the rules of priority in the speech empty or null.
    2. do not use Group membership rules, get users into groups (many resources). Access policy is based on groups so you don't lose it

  • * Incapable of Provisioning of users and groups to size *.

    Dear Guru,

    Assignment of access Dimensions:

    I can't give the commissioning of the users and groups of dimensions. I get the error "unable to add users and groups".

    Thanks in advance...

    You will probably need to provide more information,
    What version do you use
    have you ever been able to provision to users, they are native or external
    said the journal of planning.

    See you soon

    John
    http://John-Goodwin.blogspot.com/

  • Firepower does not work when using the Active Directory group as a rule filter access control

    I am PoV of Cisco ASA with the power of fire with my client. I would like to integrate the power of fire to MS Active Directory. Everything seems to work properly.

    -Fire power user agent installation to complete successfully. Connection to AD work fine. The newspaper is GREEN.

    -J' created a Kingdom in FireSight and you can download users and groups from Active Directory.

    -J' created a politics of identity with passive authentication (using the field I created)

    -Can I use the AD account "user" as a filter in access control rule and it work very well.

    However, if I create the rule of access control with AD Group', the rule never get match. I'm sure that the user that I test is a member of the group. Connection event show the system to ignore this rule and the traffic is blocked by the default action below. It doesn't look like the firepower doesn't know that the user belongs to the group.

    I use

    -User agent firepower for Active Directory v2.3 build 10.

    -ASA 5515 software Version 9.5 (2)

    -Fire version 6.0.0 - 1005 power module

    -Firepower for VMWare Management Center

    Any suggestion would be appreciated. Thanks in advance.

    Hello

    You should check the download user under domain option. Download the users once belonging to a group is specified on the ad and then test the connection.

    Thank you

    Yogesh

  • EPMA planning application migration: no synchronization with the provisioning of users

    Hi all
    We are migrating Production applications to dev. We have a planning EPMA and Essbase application in both environments.
    We migrated artifacts in the file system in PROD (Shared services, EPMA, planning, Essbase) and Reporting. We have copied and pasted into the folder what in DEV.
    Then, we try to migrate objects in DEV file system applications. First of all we did successfully EPMA artifacts in the migration status report, and then we deployed the application in the planning without any error. (msg showing as synchronized deployment). After that we had shared services, it is not
    MSG for error report status of migration:

    + 28:6571:Application < xxxxx > does not exist in the target. 28:6571:application < xxxx > does not exist in the target. 28:6571:application < xxxx > does not exist in the target. 28:6571:application < xxxxx > does not exist in the target. 28:6571:application < xxxx > does not exist in the target. ...+

    When I try to open the planning application, I get the error message: unable to synchronize with the commissioning, user see Planning journal for more details
    HyS9planningsyserr.log details:
    [INFO] RegistryLogger - REGISTRY LOG INITIALIZED
    [INFO] RegistryLogger - REGISTRY LOG INITIALIZED
    Rebinding of RMI thread creation
    com.hyperion.planning.DuplicateUserException: another user with hypadmin name already exists.
    com.hyperion.planning.DuplicateUserException: another user with hypadmin name already exists.
    com.hyperion.planning.HspRuntimeException: synchronization with the provisioning of users failed. Check the journal planning for more details
    at com.hyperion.planning.HspJSImpl.synchronizeUserWithProvisioning (unknown Source)
    at com.hyperion.planning.HspJSImpl.login (unknown Source)
    at com.hyperion.planning.HspJSImpl.login (unknown Source)
    at com.hyperion.planning.HyperionPlanningBean.Login (unknown Source)
    at HspLogOn.Handle (unknown Source)
    at HspLogOn.doGet (unknown Source)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    to weblogic.servlet.internal.StubSecurityHelper$ ServletServiceAction.run (StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
    to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.run (WebAppServletContext.java:3241)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2010)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1916)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
    java.lang.RuntimeException: errors occurred during synchronization: [com.hyperion.planning.DuplicateUserException: there is already another user with the name of hypadmin.]
    at com.hyperion.planning.HspJSImpl.synchronizeUserWithProvisioning (unknown Source)
    at com.hyperion.planning.HspJSImpl.login (unknown Source)
    at com.hyperion.planning.HspJSImpl.login (unknown Source)
    at com.hyperion.planning.HyperionPlanningBean.Login (unknown Source)
    at HspLogOn.Handle (unknown Source)
    at HspLogOn.doGet (unknown Source)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    to weblogic.servlet.internal.StubSecurityHelper$ ServletServiceAction.run (StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
    to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.run (WebAppServletContext.java:3241)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2010)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1916)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
    java.lang.RuntimeException: errors occurred during synchronization: [com.hyperion.planning.DuplicateUserException: there is already another user with the name of hypadmin.]
    at com.hyperion.planning.HspJSImpl.synchronizeUserWithProvisioning (unknown Source)
    at com.hyperion.planning.HspJSImpl.login (unknown Source)
    at com.hyperion.planning.HspJSImpl.login (unknown Source)
    at com.hyperion.planning.HyperionPlanningBean.Login (unknown Source)
    at HspLogOn.Handle (unknown Source)
    at HspLogOn.doGet (unknown Source)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    to weblogic.servlet.internal.StubSecurityHelper$ ServletServiceAction.run (StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
    to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.run (WebAppServletContext.java:3241)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2010)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1916)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
    com.hyperion.planning.DuplicateUserException: another user with hypadmin name already exists.
    com.hyperion.planning.HspRuntimeException: synchronization with the provisioning of users failed. Check the journal planning for more details
    at com.hyperion.planning.HspJSImpl.synchronizeUserWithProvisioning (unknown Source)
    at com.hyperion.planning.HspJSImpl.login (unknown Source)
    at com.hyperion.planning.HspJSImpl.login (unknown Source)
    at com.hyperion.planning.HyperionPlanningBean.Login (unknown Source)
    at HspLogOn.Handle (unknown Source)
    at HspLogOn.doGet (unknown Source)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    to weblogic.servlet.internal.StubSecurityHelper$ ServletServiceAction.run (StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
    to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.run (WebAppServletContext.java:3241)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2010)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1916)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:181)
    java.lang.RuntimeException: errors occurred during synchronization: [com.hyperion.planning.DuplicateUserException: there is already another user with the name of hypadmin.]




    Thank you
    Mady

    Hello

    I have the solution for this problem with the support of the Oracle.

    I have restored the database and migrated artifacts using LCM. a method is enough to make the migration of Planning (from Support of Oracle) applications

    Thank you
    Mady

  • [IOM 9.1.0.2] Being evaluated to a disabled IOM user access policy.

    Hi gurus,

    I have an access under evaluation strategy and provision of resources (AD) of the IOM disabled user.

    Any information on what I should check?

    Thanks in advance.

    There is a system property

    XL. EvaluateMembershipForInactiveUser

    Make sure the access policy is applied to users inactive too true

    It's in9.1.0.2BP14

  • Access policy for the user whose status is "disabled until the start date.

    Hello

    By default political access does not work for the user whose start date is later in OIM 11 g. I have an access policy that the provisions of all users of Xellerate OID. This policy is not work for users who start date is later, i.e. status = disabled until the start date.

    No workaround to make the strategy work is much appreciated.



    Thank you
    GYAN

    up to 10g it work very well if you put provisining date as the current date. But, you cannot apply even in oim 11g

    Try below

    Add new udf to the user profile
    reconcile the start date in the new udf and leave the start of oim null date
    In this case the access policy will be triggers and you will be able to get an account created to the OID, and then set the start workflow OID IOM

    for reminder and all just to add trigger for the new udf and update on the changes.

    Note: In your case as OID in disable State it will cause no problem after the user status "disable up to that Start Date. If the resource object in activate State and change you the status to disable up to that starting date, it does not fire disable the user trigger.

    Kind regards
    Mireille nayan

  • Unable to provision of a receiver Office via the IOM access policy

    Hi all

    We have created a group membership and attaches it to an access policy that is put in service of a particular ro.
    When we try to use it, the procurement process gets stuck in the State of 'system Validation '.

    However, manual commissioning works perfectly well.

    The server is looking for something while he tries to provision?

    Thank you!

    http://rajivdewan.blogspot.com/2010/07/system-validation-with-pending-status.html

  • Cannot synchronize with the provisioning of users

    Hello

    None of the users other than admin are able to connect on the planning application to SIT. I have access admin SIT, but still not able to connect to any planning application. The error I get is "unable to synchronize with the provisioning of users. See the Planning journal for more details".

    What could be the reasons? What paper check?

    version - 11.1.1.3

    Kind regards
    Brig.

    Have you tried to run the utility updateusers:-http://download.oracle.com/docs/cd/E12825_01/epm.111/hp_admin/ch03s12.html
    This should try and HSS sync with the tables of planning, it will also display all failures.

    See you soon

    John
    http://John-Goodwin.blogspot.com/

  • Provisioning of users from different areas, based on a user IOM attr field

    Hi all

    We have a requirement where we are supposed to supply to the users of a particular resource under certain conditions.
    The scenerio is like:

    In the screen of the user of the IOM, we get an attribute, for example say "Organization Id" which can have so-called values 'A', 'B' or 'C '. If the Id of the Organization has a so-called value 'A', then we need to check if the user is a case of rehire or not. Additional logic must be added if it is the case of rehiring. Once the complete logic is enabled, it must then assign the user to a particular group of which the user through the access policy will be put in service a particular resource to say 'ABC' FIELD.

    If said the Organization Id value 'B', then we want directly to the user to be placed in service to a different DOMAIN, say "XYZ" once again using an access policy applied in a group.

    Can you please let me know what would be the best possible approach to achieve this.
    All entries will be very appreciated.

    Concerning
    Nikhil

    There are several ways to implement your requirements.

    I would use an adapter of the entity to implement the Organization and to rehire logic check. Then I would put the user in different groups IOM with enclosed access policies provides the resources (see http://iamreflections.blogspot.com/2010/09/oim-howto-target-system-group.html)

    To the different areas, you can either use an object resource with the domain set up in the ITResource or you can clone the connector and use a resource by domain object.

    Best regards
    / Martin

  • How to install correctly the Provisioning of users DB management

    Hello!

    As a beginner, I try to configure the provisioning of users for Oracle 10g DB.
    Software installed:
    -Oracle Database 10g (10.2.0.3)
    -Oracle WebLogic Server 10.3
    -V9.1.0.1 oracle Identity Manager
    I put everything in a virtual lab on MS WinServer 2008 environment to test things...

    I am going through these steps (IOM connector database management © 9.0.4 User Guide):
    http://download.Oracle.com/docs/CD/E11223_01/ doc.904 /e10425/toc.htm

    My PROBLEM:
    1. I completed all the steps from the Documentation until the "Connector feature 4 tests:
    http://download.Oracle.com/docs/CD/E11223_01/ doc.904 /e10425/testing.htm#CEGDGBDA

    2. I edited the "config.properties" like this (according to the documentation):
    http://img2.imageshack.us/img2/3743/ConnectU.PNG

    3. then I run OIM_HOME\xellerate\XLIntegrations\DatabaseAccess\scripts\DBAccess.bat

    * 4. And the test is a failure, see below for the error: *.
    http://img527.imageshack.us/img527/994/error2l.PNG
    http://img79.imageshack.us/img79/3647/errori.PNG


    Your response is greatly appreciated!
    I thank very you much in advance!

    Hello

    There is a notion of 'reconciliation of search' you need to understand.

    To any target system if there is no field for which there is a set of predefined values (only these values must be fulfilled here), then we write a kind of reconciliation looking to schedule a task. In the backend code will link actually to the system target, reads all the valid values and then fills these values for corresponding in the IOM associated with this field of the process shape.

    In 'Database UserManagement' connector 'Rôles' are the type of fields that have a research associated with it. The latest connector pack for it is 9.0.4.5. If you need to find a scheduled task that must reconcile these values of the roles of the target with the IOM by deposit in the attributes of required task. Once these values are filled to the IOM, you can very well use these values in the screens configuration of workflow for this resource by clicking on the icon of the field search.

    Let me know if you need more information.

    Sunny

  • Hyperion Planning copy provisioning of users of the Application

    Hi, I'm copying a 9.3.1 application from development to production.
    With copy app I've migrated data and metadata. I am not able to know how to copy also user and commissioning.

    There is no tool or I have to do it manually?

    Thanks in advance
    DecaXD

    Hello

    The utility does not set up users to the shared services, you must configure users to shared services before the migration of the application or enforcement of the updateusers utility.

    Utility synchronizations users in planning with shared services, they need to exist in shared services.

    If you want to migrate shared services provisioning, then you can try and use the import utility in the hyperion\common\utilities directory.

    See you soon

    John
    http://John-Goodwin.blogspot.com/

  • Not able to automatically configure users in the AD via the access policy

    Hello
    I can connect to AD and manually configure a user AD through IOM. Through very well. However, if I use an access strategy to do the same, he's stuck in step 'supply '. All values are identical in shape.
    Any suggestions on why it works manually but not automatically? I have all values including ad server filled my form. Are there additional configuration in the access policy that I'm missing?

    You fill out or have prepops for all the required fields in the form of commissioning?

    Do you have the automatic backup on?

    Best regards
    / Martin

  • User who do I use to connect to Oracle Portal?

    Hi all.

    I'm new in the portal and like to connect to Oracle Portal. Is my Application Server 10 g (10.1.2).

    I am trying to connect using my address http://caribe:7778 / pls/Portal/Portal. On this page, I'm supposed to connect to the database. User who should I use?

    I see there are several pre created accounts linked to the Portal:

    USERNAME ACCOUNT_STATUS
    ------------------------------ ------------------------------
    GATE OPEN
    OPEN PORTAL_DEMO
    OPEN PORTAL_PUBLIC
    OPEN PORTAL_APP
    DCM OPEN

    Which user do I use? I have lessons available portals to the obe.

    Thanks in advance...!

    In Oracle Portal, users are not users of the database. They are called light users and are defined in the server of unique access code.

    You can use the Portal accounts or sleep to connect. Note that this portal is not the same as the portal user database. The password for the portal and sleep is the same as your ias_admin password.

    You can create new accounts in the application oiddas: http://:/oiddas. Replace and with the name of the server and port of your infrastructure.

Maybe you are looking for