7 Replies Latest reply: Jan 30, 2013 6:26 AM by idamGod RSS

    Disabling OIM User

    977577
      Hello Experts,

      this is our problem:
      - we disable an OIM user (so his Resources results disabled)
      - we do a change in disabled user's attributes
      - the disabled resources still have provisioning events, and the change done in OIM user is transmitted to target systems


      Why a change on disabled user's attributes is still provisioned also if user's resources are disabled??

      Thanks in advance,
      Best Regards

      AT
        • 1. Re: Disabling OIM User
          Rajiv Dewan
          provisioning events
          Here you have mentioned that Disabled Users are having "Provisioning" instances.
          - the disabled resources still have provisioning events, and the change done in OIM user is transmitted to target systems
          If it is in Provisioning state then how it is transmitting the changes to Target System ?
          • 2. Re: Disabling OIM User
            977577
            Thanks for your answer,

            Sorry, I was wrong, our situation is still different:
            We have an ACTIVE user with a DISABLED Resource.

            Once I change some attributes, these changed are transmitted to the target system of disabled resource.

            Why does it happens? I suppose that an user should not transmit any change to a disabled resource..


            We need to modify a user (who has a disabled resource) without any data transmission to the target system and without revoking his resource..


            Best Regards
            AT
            • 3. Re: Disabling OIM User
              idamGod
              This is the default behavior of OIM. If a resource is not revoked, all changes will be transmitted to the target system even it if it is disabled.
              • 4. Re: Disabling OIM User
                977577
                Thanks idamGod,

                but which is the scope of Disable state for a Resource?
                • 5. Re: Disabling OIM User
                  idamGod
                  Then you can try this way.

                  Add the condition resourcestatus = "provisioned" or "enabled" to the OOTB adapter which is being executed on all "UPDATED" process tasks. Where you need to create a new variable resourcestatus to this adapter and get its value by writing a small java code.
                  • 6. Re: Disabling OIM User
                    977577
                    Thanks for your answer,

                    I examined the ProcessDefinition for SAP ECC resource, I found the standard adapter "SAPU Modify User" that is invoked during the update process. Its class seems to be oracle.iam.connectors.sap.usermgmt.integration.SAPUMUtilUserProvisionManager from SAP.jar, but are you sure that is a good idea to modify a standard class?

                    Anyway I don't know the path to get SAP.jar...

                    Could you suggest me some tutorial?
                    Sorry but I'm a newbe..

                    Thanks and Best Regards,
                    AT
                    • 7. Re: Disabling OIM User
                      idamGod
                      Why are you changing the OOTB code. This is not suggested.

                      What I am telling you is this.

                      If you open the adapter "SAPU Modify User" in design console, you will see a java adapter task that is being called to update data right...for example say its name is UpdateUser.

                      Just prior to this, add a new java adapter task which will get the resource status for that user..say the adapter task name is getResourceStatus.

                      Add a condition if getResourceStatus = "Provisioned" or "enabled" then only call the adapter task UpdateUser.