Hi all,

we installed the Q1IM web portal on a testserver (10.38.195.66) in test netwwork. Access on localhost works just fine.

Going to URL http://10.38.195.66/identitymanager bings up the Q1IM Logo and a running "processing" Icon.  This proofs that ther server and the deployed application can be reached, right?

Access from production network to testserver works for some colleagues, for others not. We assume some issues with the individual IE settings of the user.

Customer uses proxy auto config (PAC files)  so individual proxy setting should not be the problem.

ping 10.38.195.66 is OK

Any ideas?

Thanks

Jürgen

Hello, in our environment we have employees with multiple AD accounts linked to their person record. When we fire templates on an employee whose manager has multiple AD accounts linked the correct account appears as the manager (UID_PersonHead@Person) on the person record but the incorrect account appears on the ADS Account (UID_ADSAccountManager@ADSAccount). I have provided the custom scripts that we have in Designer. It may be something simple that I am just over looking, any help would be appreciated. Thank you

ADSACCOUNT Table UID_ADSAccountManager Column

Dim f as ISqlFormatter=connection.SqlFormatter

SelectCase ($ManageLevel:Int$)

      Case0:'Unmanaged (do not get data from employee)

      Case1:'Managed (fill all possible fields about employee)

                  Value = connection.GetSingleProperty("ADSAccount", "UID_ADSAccount", f.Comparison("UID_Person", $FK(UID_Person).UID_PersonHead$, valtype.string)) 

      CaseElse:'Unspecified manage level

            ThrowNew ViException(#LD("Non specified manage level: {0}", $ManageLevel:Int$)#)

EndSelect

Person table UID_PERSONHEAD Columns

Value=$FK(UID_Department).UID_PersonHead$

Thanks,

Jim

I need to update the viewing condition for the ShoppingCartOrder table.  Currently we are trying to display the DocumentNumber for a request on the web IT shop, but it only shows for certain users.  I've tried to update within designer, but I can't actually update the condition:

How can I edit the Viewing condition?

How do I get around an existing policy in the domain and replace it with the Quest password manager? I installed the Quest One Password Manager with the password extension. The default domain policy was unlinked from the domain.

Even though the old policy was unlinked its settings are still tatooed in the domain. Quest told me if another policy is inexistance it will overrule their policy.

You cannot "disable" settings like minimum password age. Only "Not Defines" So I set them to "0".

After I did that the quest policy works and I can use the "Forgot Password" link in the extion. The problem is that I can change the password natively in windows with no restrictions!

Is it possible to use a script (for instance PS) to trigger a process within Q1IM ?

If yes could you please provide me some example ?

I would like to create a service item that requires the requester to enter a "Reason" for the request.

I have created a Request Properties, with Reason as a mandatory parameter, and set this on the Service Item.  All seems to work as expected.

However, if I look at the "Additional information" in the shopping cart, I see two identical copies of the "Reason" field. Similarly, I see two identical copies in the request history.

Is there a way of doing this, or must I use other fields, such as "Additional information" instead?  For this case it's not too much a problem, but I would also like to force a "Valid until", and this is more of an issue.

Hello,

we use a web project with the authentification setting: Person (rolebased)

A new requirement is to show the users some hours before a maintenance some Information about it. This information is basicly stored in the Table DialogConfigParm

Therefore I need to access to the Data (DialogConfigParms) of the Database before the user is authentificated.

So far I havetriedthe following

1.    Using Singleproperty in a DisplayNode

2.    Using a Collection with the source Type Database-Query

Especially the 2^nd one should not go through the object layer in my opinion. Also a SQL-Connection should be set at this time.

However I receive the following error Message by opening the Login-Page:

Error while loading collection ConfigparmWartungsModus.
at VI.WebDesigner.Action.LoadTableDefinition.ExecuteInternal(ActionExecutor executor)
at VI.WebDesigner.Action.ActionBase.Execute(ActionExecutor executor)
at VI.WebDesigner.Action.ActionSequence.ExecuteInternal(ActionExecutor executor)
at VI.WebDesigner.Action.ActionBase.Execute(ActionExecutor executor)
at VI.WebDesigner.Definition.Components.ComponentBase.InitializeComponentInstance(ActionExecutor executor)
at VI.WebDesigner.Definition.Components.GlobalComponentUsage..ctor(ActionExecutor executor, ComponentBase ctl, IComponentReference reference)
at VI.WebDesigner.Definition.Components.ContextGraphNode.EnterSubNode(ActionExecutor exec, IComponentReference compRef, IDocumentControl ctl)
at VI.WebDesigner.Renderer.Controls.ControlReferenceRenderer.Create(Control parent, BaseControlDefinition definition, RenderManager renderer)
at VI.WebDesigner.Renderer.RenderManager.RenderInternal(Control parent, BaseControlDefinition controlDefinition)
at VI.WebDesigner.Renderer.RenderManager.Render(Control parent, BaseControlDefinition controlDefinition)
at VI.WebDesigner.Renderer.RenderManager.RenderSub(Control parentControl, IContainerControl parentDef)
at VI.WebDesigner.Renderer.Controls.ContainerRenderer.Create(Control parent, BaseControlDefinition definition, RenderManager renderer)
at VI.WebDesigner.Renderer.RenderManager.RenderInternal(Control parent, BaseControlDefinition controlDefinition)
at VI.WebDesigner.Renderer.RenderManager.Render(Control parent, BaseControlDefinition controlDefinition)
at VI.WebDesigner.Renderer.RenderManager.RenderSub(Control parentControl, IContainerControl parentDef)
at VI.WebDesigner.Definition.Controls.PagePartContainer.PagePartContainerRenderer.Create(Control parent, BaseControlDefinition definition, RenderManager renderer)
at VI.WebDesigner.Renderer.RenderManager.RenderInternal(Control parent, BaseControlDefinition controlDefinition)
at VI.WebDesigner.Renderer.RenderManager.Render(Control parent, BaseControlDefinition controlDefinition)
at VI.WebDesigner.Definition.Include.PageType.RenderSingleItem(PageRenderItem pri, RenderManager renderManager)
at VI.WebDesigner.Definition.Include.PageType.RenderPage(RenderManager renderManager, Control formControl, Control headControl, Control bodyControl)
at VI.WebDesigner.Runtime.Communication.WebPage.RenderPageInternal(RenderManager renderManager)
at VI.WebDesigner.Runtime.Communication.WebPage.RenderPage(RenderManager renderManager)
at VI.WebDesigner.Runtime.Communication.WebPage.BuildForm()
Object reference not set to an instance of an object.
at VI.WebDesigner.Runtime.SQLTable.LoadInternal(ActionExecutor executor, DataExpression statement, ILoadTableOptions loaderDefinition)
at VI.WebDesigner.Runtime.SQLTable.Load(ActionExecutor executor, DataExpression statement, ILoadTableOptions loaderDefinition)
at VI.WebDesigner.Action.LoadTableDefinition.ExecuteInternal(ActionExecutor executor)

In the Webdesigner the Login-Page presents the data as required, but I think that I’m already authentificated before I get the login Page.

So what are the optionstogetdatabefore the authentication? At best, without using an additional webproject.

Best regards,

Martin

Quest Gurus,

I need some help in setting up a report workflow for attestation. Basically, our current setup will simply run an attestation build for each of the apps we have added to Q1 but once the user approves or denies someone, nothing happens. We are currently NOT wanting to use the auto-provision functions because there are too many variables in some of those provisioning steps. Instead, I would simply like a report to be generated that shows who was approved and by whom that we can take to internal audit. Based off my limited understanding of workfows, I have already created an approval workflow but I have not created a report workflow. I think I have to build a report workflow and add it to the approval policy or procedure.

Is this correct? If so, how might I accomplish this? If someone has a link to a step by step, that would be awesome. Thanks!

Here is what I need to do.  Currently I have a process listening to the PersonWantsOrg table.  When a role removal happens I trigger one action in my script and when the account is actually deleted I trigger another action.  In my script I am doing query on PersonHasRessourceTotal table to see if the account has been removed from that table.  However, what I am noticing is that the timing doesn't seem to be working out right.  Meaning, when I test this it looks like my script is seeing that the PersonHasRessourceTotal record still exists.

Since this probably is a timing thing I don't want to include a pause.  Performance might very here.  I was thinking if there is a way I can tell from my script that is running on the PWO table if/when that PersonHasRessourceTotal that would work.

How does the product identify internally that this is the last role a person has and we need to remove the account?  I basically need to be able to tell if this is the last role the user has for this Ressource when they are request it to be deleted.

David

Hello,

I read in the q1im getting started documentation that we can install Job Server on Linux machine with the following requirments.

Linux Operating System

• SuSE Enterprise Server 10
• Single Core 1.65 GHz+ Processor
• 40 GB free disk space
• 4 GB RAM

Software Prerequisites

• Mono 2.8 or later
• Direct TCP/IP access is required to use an Oracle database system. A connection

Moreover, I have found a Linux folder in the q1im (..\Q1IM_6.0.1\Jobservice\Linux) installation diretory which is mainly contains .exe and .dll files, this is why i believe the installation has probably to be done from the Windows machine.

However I don't know how and I haven't find topic on this.

• Which file I have to execute to install job server on remote linux server?
• How can I specify the following information: linux server hostname, linux system account, linux installation folder?
• Does the system account need specific rights?

For your information.

• Quest machine: Windows server 2008 R2 with Q1IM 6.0.1
• Oracle machine: Linux SuSE Enterprise with Oracle Standard One Edition 11g R2 and Mono 2.8

Hello,

I have a question regarding the generation of reports.

Wehaveobservedthatthere isa hugedifference in timebetweenthecreation of reportsfrom thewebfrontendto other tools.

For Example the creation of a person with History-Report does take approx. 15 seconds in the Identity Manager. In the Webfrontend it takes 45 seconds until the pdf-file is shown. (VI-StandardWeb)

Isthere asystem-specificreason?

Best regards,

Martin

Hi,

I configured 2012 domain beside 2008 AD domain in Q1IM. Synchronization of 2008 is working as expected, but on 2012 I get folowing error in job server:

VI.JobService.JobComponents.ADSComponent - a31dd0b5-126d-4f9d-bb0c-e67f7997d14d: Errors occured

    The connection mode of the provider was set to Default.

    XML parser error on object node ADSGroup

    XML parser error on object node ADSAccount

    Definition rule for object properties and relation memberships was changed by the definition loaded from table Domain column MappingInfo.

    Error parsing XML structure : <?xml version="1.0" encoding="utf-8"?>

    <Configurations>

              <Configuration Name="ADS" Namespace="ADS">

                        <Layout />

                        <Task>

                                  <ControlParameters>

                                            <Option Name="SyncSystemContainer" Value="1" />

                                            <Option Name="SyncAdvancedFeaturesContainer" Value="1" />

                                            <Option Name="DisableRAS" Value="1" />

                                            <Option Name="DisableTerminal" Value="1" />

                                            <Option Name="LookUpDomainNames" Value="" />

                                  </ControlParameters>

                        </Task>

              </Configuration>

    </Configurations>

    Processing task FullSync failed.

I set up additional server in 2012 for synhronization and I can see it beside other job servers/queues.

What did I missed? Should I use different mapping file? What should I chenge in existing mapping file?

Many thanks for suggestions

I've created an email template that includes the Employee's start/end dates.  However when the email gets sent, it always gets formatted as US-style dates and also includes a time field.

In my template, I have a line:

  Start Date: $EntryDate:Date$

and the template is set to local en_GB.

When the email is sent, I get:

  Start Date:  2/31/2013 12:00:00 AM

But I want to see it in UK format with no time:

  Start Date: 31/2/2013

How is this best achieved?

Hi All

We did incorporate Q1IM 6.0 with ARS to connect to the customers active directory. As we did build a process to automate some groups based on textfiles, we did hit a huge load of error messages last night during our go-live.

The error message that was coming up is:

2013-03-17 05:33:43 -04:00 - VI.JobService.JobComponents.ADSComponent - d3d870c2-d7f9-4321-b6dd-0bd2469dadb8: Errors occured

    The connection mode of the provider was set to ADS_EDMSERVER_BIND.

    Loading import file BFO_ADSMapping.DLL.XML has changed the object property assignment rules and the member relationships.

Error processing object relations for CN=p.aut.mss_emps,OU=Auto-Generated Groups,OU=B-F Groups,OU=All Groups,DC=b-f,DC=net in Active Directory.

    [854003] Processing task Change Members failed.

[1705017] Saving new or modified directory entry EDMS://HQUARV01/CN=p.aut.mss_emps,OU=Auto-Generated Groups,OU=B-F Groups,OU=All Groups,DC=b-f,DC=net failed.

    [System.Runtime.InteropServices.COMException] Administrative Policy returned an error.

Request to change a multi-valued attribute has failed: attempted to add or remove too many attribute values. Not more than 1500 values can be added or removed from a multi-valued attribute within a single request.

It seems like the customer is dealing with a bigger number of user accounts in AD groups. Does anyone know a way to work around that using Q1IM and ARS as the AD provisioning engine? Any hint would be greatly appreciated.

Thanks

Carsten

Hello,

We came across an issue with EBS deferred processes due to quarterly password change for EBS target system. As the deferred jobs in the queue caches the connector password when a password is changed in the target & Q1IM system the deferred jobs are unware of the password change keeps failing and finally goes into frozen state. Is there any way to refresh the password when Q1IM connector password is chagned ? Please suggest the best way of handling this issue.

Other Observations:

- Instead of reading the password using the foreign relation,  I tried to call a script and re-initialized the process even then the password is not refreshed.

Regards,

Sasi

Hello,

  I have developed a custom process, in the process I would like toe generate an event based on exception from previous step. Is there anyway to capture the exception message or return code from the previous process step ? please let me know.

Regards,

Sasi

I would like to create a rich-text email which contains a list of items, e.g. from a custom relationship table.  Is this possible, as I see no way of adding a repeating structure in the mail template editor?  For example, how could I list all of a person's AD accounts, including SamAccountName, Mail, OU and domain for each.

Alternatively, can I use a report to create a rich-text email or would this have to be as a PDF file attachment?

I'm using Q1IM 6.0.1.

We are trying to put a document together for our customer with a high level process for handling failures from Q1IM.  For example, let's say provisioning to a target system fails, and an engineer goes in and manually creates the account on the target system.

What would be the recommended practice for marking the failed job in the job queue.  We don't want to end the step with failure, as it could continue down a failure path.  We don't want to end the step with success, as it would continue down the success path.  We also don't want to delete the job altogether, as it would disappear from the queue and the history.

What would others recommend?

Hi all,

I have ARS but I´m going to replace it with Q1IM ADE version.

I have many Distribution Groups with secondayOwner already defined and I would like to use edsvaSecondaryOwners from ADE in order to store the secondaryOwner from ARS.

My problem is: I don´t have write permissions on edsvaSecondaryOwners attribute.

I changed those permission in table ADSGroup for edsvaSecondaryOwners but still having problems.

My guess: edsvaSecondaryOwners is a virtual attribute and is defined in other table but I don´t know which one is it.

anybody has an idea?

Thanks in advanced.

Hello,

We want to install custom web portal from Q1IM database on Apache 2.2 (on SuSE Entreprise Server).

We have installed following RPM packages:

• apache2
• apache2-mod_mono
• mono-complete
• mono-basic

We tried to run WebDesigner.Installer.exe with mono command but we meet the following error:

Could not load file or assembly 'Microsoft.Web.Administration, Version=7.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies.