10 Replies Latest reply: Sep 4, 2013 4:15 PM by user8663548 RSS

    How to revoke Resource Object from user

    user552098
      I need to revoke a resource object from a user using the OIM API. This is using OIM 11g version.

      If I understand correctly, the API I need is in the tcUserOperationsIntf interface and is the following:

      void revokeObject(long plUserKey,
      long plObjectInstanceForUserKey)

      However, the documentation does not say what the plObjectInstanceForUserKey parameter is nor where I get it. I need to perform this revoke from within a process task of the same Resource Object, so I have the process instance key, if that's the same thing. But if not, where do I get the plObjectInstanceForUserKey?

      By the way, the user has multiple instances of the same Resource Object name, all with different IT Resources mapped to them. I need to revoke just one of these; the one that matches the Process Instance Key that my process task knows.

      Thanks for any help.
      -Dave

      Edited by: user552098 on Feb 11, 2013 10:33 AM
        • 1. Re: How to revoke Resource Object from user
          Kevin Pinsky
          You can return a response code of X to cancel the resource and trigger the revoke process.

          If you must use code outside the workflow and you have the userkey, you can use this code:
          >
          Map searchCirteria = new HashMap();
          searchCirteria.put("Objects.Name", resourceObject);

          tcResultSet resourceSet = provIntf.findObjects("Revoke", new String[] {userKey}, "U", new String[] {}, new String[]{}, searchCirteria);
          for (int ii=0;i<set.getTotalRowCount();ii++){
          long key = resourceSet.getLongValue("Users-Object Instance For User.Key");
          LOGGER.log(Level.INFO, "Users-Object Instance For User.Key[" + key + "]");
          boolean revoke = false;
          try{
          userIntf.revokeObject(Long.parseLong(userKey), key);
          revoke = true;
          }catch(Exception e){
          LOGGER.log(Level.WARNING, "Error revoking resource:" + e.getMessage());
          }
          }
          >

          -Kevin
          • 2. Re: How to revoke Resource Object from user
            user552098
            That seems to be a bit more overhead than I would think necessary. If my code is already running in a process task of that user's resource Object, don't I have access to the information I need to perform a revoke on that same resource object? Do I really need to call an API that returns a result set? Also, what search criteria is supported here? Can I pass into the search criteria a process instance key name/value pair? The documentation doesn't tell me.

            So, I still don't have the information I need here.
            -Dave
            • 3. Re: How to revoke Resource Object from user
              Kevin Pinsky
              Just return a response with an X as the response code.

              -Kevin
              • 4. Re: How to revoke Resource Object from user
                user552098
                Sorry, I don't understand that reply at all.

                To reilterate my question: Is there a way to obtain the plObjectInstanceForUserKey value from within a process definition task in order to revoke that same Resource object from a user without having to loop through all current resource objects that the user has? Keeping in mind that the user will have multiple instances of the same resource object and I need to revoke only one, the one associated with the process instance key I have in my process task.

                Is there a way to do that?
                Thank you.
                -Dave
                • 5. Re: How to revoke Resource Object from user
                  Kevin Pinsky
                  I have already provided you some information. I suggest you setup jdeveloper or an eclipse environment, connect to your OIM instance and start doing some testing of your own. If you do not understand the information being provided to you, then you need to take some initiative on your own to better understand the product.

                  Again, there is no need to search against all the existing instances if you are already in the one you want to revoke.

                  The value you want is not mappable from a drop down, but if you are in the worklfow, you need only return a response with a status of X. Here is the documentation: http://docs.oracle.com/cd/E21764_01/doc.1111/e14309/promgt.htm#BCEEGEDC

                  When you return an X status, it is the same as a revoke which will cancel all process tasks for that workflow and trigger the Undo tasks. Assuming your connector is configured correctly, and your create user task has an undo of delete user, it will trigger that task and the final outcome will be revoked.

                  -Kevin
                  • 6. Re: How to revoke Resource Object from user
                    user552098
                    I have been using JDeveloper with OIM 11g for 2 years now. We also have Oracle consultants on site. But even with that, I find the documentation extremely lacking. I understand the concept of response codes from process tasks, and I see the X option on the Status Lookup, but all it says there is "Cancelled". I never associated the response of "Cancelled" with an entire Revoke of the resource object and a trigger of the create undo task. If it does, then that would be perfect. I checked that link you provided. It talks about setting up responses on a process task, but it doesn't give any real clear definition on what the X response code actually means or what it does when returned. If it only said what you said in your reply:

                    "When you return an X status, it is the same as a revoke which will cancel all process tasks for that workflow and trigger the Undo tasks.

                    it would have saved me a lot of time and trouble.

                    But ok, I understand what you're saying and I will try this out. If this does what I need, then perfect and I thank you for the help.
                    -Dave
                    • 7. Re: How to revoke Resource Object from user
                      user8663548

                      Hi Kevin, I have been trying code similar to this in my OIM API client, but when the revokeObject call is made, it just hangs, never returns...And the resource is also not revoked. Thoughts?

                      • 8. Re: How to revoke Resource Object from user
                        user8663548

                        Hello. Does revokeObject() work if the account is provisioned via policy? I'm thinking that may be the reason this API call is hanging in my case.

                        • 9. Re: How to revoke Resource Object from user
                          user13133319

                          I don't think this could be a reason.

                          • 10. Re: How to revoke Resource Object from user
                            user8663548

                            Update: The revokeObject() API call works in the case of an account provisioned via policy. It didn't work with my first test user, not sure why, but I reried with other cases, it worked.