This content has been marked as final. Show 19 replies
I recommend reading http://docs.oracle.com/cd/E19225-01/821-0378/index.html
waveset and Lighthouse are basically two ways to reach the same data but are used in different manners.
read in the waveset.attributes section of the document above
Collection of arbitrary attributes that is stored with the WSUser in the Waveset repository. The value of the waveset.attributes attribute is either null or another object. The names of the attributes in this object are defined by a system configuration object named Extended User Attributes. Common examples of extended attributes are firstname, lastname, and fullname. You can reference these attributes in the following ways:
You typically do not modify the contents of the waveset.attributes attribute. Instead, modify the values of the accounts[Lighthouse] attributes. When the attribute is stored, values in accounts[Lighthouse] are copied into waveset.attributes before storage. waveset.attributes is used to record the original values of the attributes. The system compares the values here to the ones in accounts[Lighthouse] to generate an update summary report. See the section on the account[Lighthouse] attribute for an example of how to extend the extended user attributes.
Thanks for the detailed explaination.
We are facing one issue concerned to the application. Since we are using the customised IdM 8.1 application, few of the settings/configuration is missing. Usually when a user is created, his/her data is saves as an XML object file. Within this file the user's manager data is not getting updated or there is o refersnce for it i.e. <idmManager> tag is missing for all users.
I think the user manager data is not updated on lighthouse and waveset too because of which users manager values are not coming up on few of the reports also.
Do i have to add the manager attributes under Extended User attributes configuration file?
Thanks in advance.
How are you updating the manager attribute?
Manual from input or by activesync or reconcile or a combination?
Wherever you process it you need to set global.idmManager to what ever you need.
and you might also set accounts[Lighthouse].idmManager to global.idmManager
it all depends on when you set it...
We have an automated sync in from our HR resource, so when a user is created there it will automatically create an IdM user with the right internal id and manager etc. etc.
We also run a nightly ActiveSync that will update various other things from HR, like department, division and such
we then have scheduled reconciles that will try to match up these user with resources that exists and of course flows to create the from the administrative views too
We are updating the manager attribute with the help of Active Sync process. But this data is updated only on the Identity LDAP instance and not on Identity Manager resource.
We too have a HR Flat File active sync process which will create an IdM user. It will invoke the various workflows such as create, update etc....based on the "FeedOp" value. But nowhere within these workflows I have seen global.idmManager getting updated.
The application is customised for business purpose and the version change happened before I joined the project. So not sure what exactly is done for idmManager attribute.
Reconciliations do run for all the resources every week. But till now i have not found any Xpress code that will run during reconciliation so that i can understand what actually happends during the process in a better manner.
Any idea where it can be found or waht exactly happens.
One more thing, how does a User Object(XML) file get created automatically, when the user is created?
If you only update the LDAP resource, then this is the only place that will change...
You need to update it in all resources you need it to be updated, one easy way is to use the global.nnnn attributes
it need to be properly mapped to all places, but the default mapping should work fine for Lighthouse
in our active sync form... a bit cleaned up...
exchange the activesync.idmManager with whatever attribute you get the info from
<Field name="accounts[Lighthouse].idmManager"> <Expansion> <cond> <notnull> <ref>activesync.idmManager</ref> </notnull> <ref>activesync.idmManager</ref> <ref>accounts[Lighthouse].idmManager</ref> </cond> </Expansion> </Field>
If you miss a field to update the user view when syncing, then maybe you need to fix that or
add another recon from ldap to IdM with native changes noticed?
As usual there are lots of way to get the job done
As you see above, we don't use the global either, but we have several fields getting updated with that
but idmManager isn't one of them in our case :D
There is really no xml file created until you do an export of an xml object
the xml objects gets created from the different objects at checkin of their respective views.
So when you create a user, you fill out the form in some manner and then check that object (view)
into the repository where it will be saved as an xml in a clob with some attributes more readily available.
Not sure if that answers your question...
Thanks for replying. I'll try editing the form.
But i'm not very sure about the exact attribute for manager on Lighthouse. Under IdMAttributeSchema Configuration the attribute is named as "idmManager".
For getting the date from feed file, we use
How to get the exact lighthouse attribute name?
well, they dont have to be the same
An alternate source could have the name manager on the data.
Thats why we use forms
in IdM iirc the manager attribute is use to signal (Y/N|true/false) if the user IS a manager...
f.ex. if I check my own entry in my userview...
It's garbled by me, but from this you can see we use closest_manager in our Lighthouse to house the value of the manager
<Attribute name='business_area_name' type='string' value='Group IT'/> <Attribute name='business_unit_name' type='string' value='IT Development'/> <Attribute name='closest_manager' type='string' value='12345'/> <Attribute name='company_profit_centre_code' type='string' value='yyyyy'/> <Attribute name='country_code' type='string' value='SWE'/> <Attribute name='department' type='string' value='Application Mgmt'/> <Attribute name='division' type='string' value='Business Support'/> <Attribute name='employeeId' type='string' value='nnnnnnn'/> <Attribute name='firstname' type='string' value='Jxxxx'/> <Attribute name='fullname' type='string' value='Axxxxxx, Jxxxx'/> <Attribute name='lastname' type='string' value='Axxxxxx'/> <Attribute name='manager' type='string' value='N'/> <Attribute name='position_start_date' type='string' value='2011-04-04 00:00:00.0'/>
but the manager value is just stating N, which means I am NOT a manager :D
So in your case then...
Now, I believe the default name for the manager in IdM is idmManager, but you can ofcourse tweak that.
<Field name="accounts[Lighthouse].idmManager"> <Expansion> <cond> <notnull> <ref>activesync.manager</ref> </notnull> <ref>activesync.manager</ref> <ref>accounts[Lighthouse].idmManager</ref> </cond> </Expansion> </Field>
In the default User Lib (found in the UserForms) it uses a drop down to make the manager selectable, we don't use that at all :D
We made our own copy of this lib and the user forms refering to it... and tweaked it quite a lot...
this is how it looks in original :D
Edited by: Dhurgan on Nov 20, 2012 4:58 PM
<Field name='global.idmManager'> <Display class='Selector'> <Property name='title' value='_FM_MANAGER'/> <Property name='multivalued' value='false'/> <Property name='sorted' value='true'/> <Property name='valueTitle' value='_FM_MANAGER_IS'/> <Property name='pickListTitle' value='_FM_MANAGER_SELECT'/> <Property name='allowTextEntry' value='true'/> <Property name='pickValues'> <ref>availableIdmManagers</ref> </Property> <Property name='clearFields'> <List> <String>idmManagerFilter</String> </List> </Property> </Display> <Field> <Display class='Row'/> <Field name='idmManagerFilter'> <Display class='Text'> <Property name='title' value='UI_TREECOMPONENT_SEARCHTEXT_LABEL'/> <Property name='size' value='20'/> <Property name='maxLength' value='64'/> </Display> </Field> </Field> </Field>
Can you tell me what is the purpose of Default User Library? Also what is the purpose of using User Forms? How is it used with Active Sync processes?
I checked the "Default User Library" object file. There is no field entry for "Manager" itself!!!!. I can see al fields like waveset.resources, waveset.accountID,global.mail etc. Not sure why its been omitted.
Now if I add lighthouse.idmManager field inside the form that is used for HR processing, will it update properly or sonce the entry is missing in Default User Lib, its not going to affect anything?
Why Im very much conerned about this manager field is, im trying to generate a User report(since 2 months!!) which contains manager attribute too. This field is null for all records.Then i realised that user manager is not updated on Lighthouse & Waveset and because of which the field values are null.
I added the idmManager field inside the form and the User XML object do conatins the manager value also.
Many thanks to you:-)
But now the problem is, there thousands of users for whom manager value is not updated. Does reconciliation solve the issue. Is it possible to carry out the reconciliation on Lighthouse, because User report gets data from Lighthosue.
Let me know if my understanding is correct.
These are pretty basic questions regarding the functionality of IdM.
There are some semi-good explanations in the waveset documentation on forms, workflows and the xpress language.
There are probably some pdf's floating around the internet with study material too.
The whole concept of IdM is around Forms, Rules and Workflows working in conjunction with resources.
The libraries are simply collections of commonly used "functions" to be used by forms, rules and workflows.
it might, if its a reconciliated resource...
it might not be if you are using it for active syncing
you might be better off just doing a bulk provisioning of that update in some manner
The idea is to update the idmManager on lighthouse resource.
I tried the below command under bulk resource actions:
This is not updating user manager value on Lighthouse. Is the above the command correct. Does reconciliation work for Lighthouse?
Accounts -> Launch Bulk Actions
Action: From Action List
all checkboxes unmarked
input area selected and the following lines in the input area...
I know I have the closest_manager field in my user form (the one specified for users)
command,user,accounts[Lighthouse].closest_manager update,43725,44569 update,77774,43725 Task Summary Name Bulk Actions - 20121121 12:45:58 Description Process build operations Owner Johan State finished Host IdM-Node-1 Start Date Wednesday, November 21, 2012 12:45:58 PM CET Expiration Date Thursday, November 22, 2012 12:46:15 PM CET Execution Time 16 seconds Task Results Task Extended Results Update of user '43725' 43725 on Waveset: closest_manager 44569 Information: The operation was performed successfully. Update of user '77774' 77774 on Waveset: closest_manager 43725 Information: The operation was performed successfully.
You cant really reconcile Lighthouse, normally you reconcile a source to update/build the Lighthouse data
you could perhaps reconcile the source you use for active sync, but once again, you need all the right things in that reconcile properties then
It's so seldom you do it, but it just hit me... we did it back in 2006 I think :D
if you have a resource that you base your users on, you might be able to use
Accounts -> Load from Resource
need a lot of careful meddling if your doing it on production systems, I would test small resource on a test/dev system first.