I'm trying to put together an email that will take a user to their pending attestations in the IT Shop. Does anyone know the format for building the link?
↧
Linking to the IT Shop
↧
Add a Task to an Info System
Hi Community
I might just be blind or running into an dead end: Our customer did ask us to build an import for manual resources (Systems, Entitlements, Users and Assignments) into the Unified Namespace, which we already accomplished sucessfully. Now we want this import being kicked off manually by an Task on the Infosystem of the Unified Namespace (see attached screenshot). Although there is a Task section in the Task window, there is no object to assign the task to.
Is there a chance to accomplish this or is there the need to tie it to a real object for display of the task in the Q1IM manager application?
Any hint is greatly appreciated.
Thanks
Carsten
↧
↧
AD Sync not syncing group memberships into Identity Manager
Hi All,
We run our AD sync daily at 2:00 am. We have noticed that security groups that have been manually updated with new members in Active Directory are not updating in Manager the next day. We run our Incremental AD Sync checking Synchronize next to the ADSGroupMember types/assignments under Configure synchronization with Identity Manager being the slave. Any help on this issue would be greatly appreciated. Thanks.
Jim
↧
Designer - SQL Database Import not Updating UNSAccountB
Gurus,
I eluded to this question in a previous post and despite my best efforts, I can't find a solution yet. So here is the situation, one of the applications we are attesting to runs off an MS SQL Database and our DBAs have basically given the Quest account rights to run a few stored processes so that it can synch the users/groups from the SQL application to Quest. The script basically opens a connection string to the database, runs the stored procs and uses the data to populate users (one script) and populate data base roles (other script) into UNSAccountB and UNSGroupB respectively while tagging XProxyContext to be the application name... lets call it DBApp1 for privacy.
In the Production environment, the sccripts work just fine... they pull the data in and populate accordingly. I used the Database Transport tool to import all Change Labels into the Test lab. After verifying that AD synch was working Dev and then making sure that Manager > Unified Namespace has an entry for DBApp1, I ran the import. I watched the job logs intently - refreshing every few seconds, just to make sure everything worked. Yay! The script completed and I got NO errors. I even have the script writing a log file to show me what it does. The log file shows several new inserts into the database. Yay!
THEN... I checked UNSAccountB and UNSGroupB. NOTHING is there... There are no records at all...
I tried the same process again with DBApp2. Again, all things look great! Imports run and NOTHING in UNSAccountB or UNSGroupB. What the heck happened? Where did this stuff go? If the logs think everything is fine and the database is sending data (I verified this). Why doesn't it populate into Quest? Can anyone provide me some insight?
Thanks in advance!
↧
Out parameter with insert process task
Hi,
we are using the process task "HandleObjectComponent - Insert" to create PWOs in different processes. Now I need the UID_PersonWantsOrg from the new PWO object in adjacent process steps, but "HandleObjectComponent-Insert" has no OUT-parameters. What's the best way to solve this?
Thanks a lot,
Norbert
↧
↧
Login to IT-Shop with Userprincipalname
Hi everyone.
I have set IT-shop to authenticate users against AD. It works if I enter just "myusername" as username (sAMAccountName attribute in AD). I would like to use UserPrincipalName as username. It means I would like to login with username@mydomain.com. Is it possible and what should I do?
Thanks.
Evgen
↧
Role inheritance (Role Approver and Role Approver IT)
Hi all,
I just had a quick question regarding creating sub-roles under RO and role approvers (IT)...also attestors I guess (for tracking purposes of which custom role approved). I create sub-roles underneath the parent role (manually add the necessary permissions), but the approver is not named unless I add them to the parent role. The only setting I see is "block inheritance" which is not enabled...is this by design or am I not looking in the right place? Thanks in advance for your response.
Kenny
↧
Script: delete system role or business role
Hello,
In my script, I create system roles with associated service items and add them to specifics shops.
Then I want to delete them: I delete first associated shop products, then system roles and service items.
When a system role was resqueted in IT shop, I can not logically delete it and I meet errors.
How can I verify if the system role was requested in IT Shop? In order to not try to delete it.
Below the content of my script.
Regards,
Serge
' ### CREATE
' create service item
Dim AccProduct As ISingleDbObject = Connection.CreateSingle("AccProduct")
AccProduct.PutValue("Ident_AccProduct", DisplayName)
AccProduct.PutValue("UID_AccProductGroup", Connection.GetSingleProperty("AccProductGroup", "UID_AccProductGroup", "Ident_AccProductGroup='RoleApplicatif'"))
AccProduct.FillPrimaryKey()
AccProduct.Save()
' create system role binded to the service item
Dim ESet As ISingleDbObject = Connection.CreateSingle("ESet")
ESet.PutValue("Ident_ESet", Ident_ESet)
ESet.PutValue("DisplayName", DisplayName)
ESet.PutValue("Ident_ESetType", "...")
ESet.PutValue("IsForITShop", True)
ESet.PutValue("UID_AccProduct", AccProduct.GetValue("UID_AccProduct"))
ESet.FillPrimaryKey()
ESet.Save()
' create a product in every concerned shop
If AssociatedShop.Length > 0 Then
Dim ShopList As String() = AssociatedShop.Split(New Char() {"|"c})
Dim ShopItem As String
For Each ShopItem In ShopList
Dim ITShopOrgHasESet As ISingleDbObject = Connection.CreateSingle("ITShopOrgHasESet")
ITShopOrgHasESet.PutValue("UID_ITShopOrg", Connection.GetSingleProperty("ITShopOrg", "UID_ITShopOrg", "FullPath='" & ShopItem & "\Shelf'"))
ITShopOrgHasESet.PutValue("UID_ESet", ESet.GetValue("UID_ESet"))
ITShopOrgHasESet.FillPrimaryKey()
ITShopOrgHasESet.Save()
Next
End If
' assigned to every concerned business role
If AssociatedBusinessRole.Length > 0 Then
Dim BusinessRoleList As String() = AssociatedBusinessRole.Split(New Char() {"|"c})
Dim BusinessRoleItem As String
For Each BusinessRoleItem In BusinessRoleList
Dim OrgHasESet As ISingleDbObject = Connection.CreateSingle("OrgHasESet")
OrgHasESet.PutValue("UID_Org", Connection.GetSingleProperty("Org", "UID_Org", "Ident_Org='" & BusinessRoleItem & "'"))
OrgHasESet.PutValue("UID_ESet", ESet.GetValue("UID_ESet"))
OrgHasESet.FillPrimaryKey()
OrgHasESet.Save()
Next
End If
' ### DELETE
Dim ESet As ISingleDbObject = element_ESet.Create()
' delete all assignations to business role: not mandatory?
'Dim collection_OrgHasESet As IColDbObject = Connection.CreateCol("OrgHasESet")
'collection_OrgHasESet.Prototype("UID_ESet").IsDisplayItem = True
'collection_OrgHasESet.Load(CollectionLoadType.Slim)
'For Each element_OrgHasESet As IColElem In collection_OrgHasESet
'Dim OrgHasESet As ISingleDbObject = element_OrgHasESet.Create()
'If String.Compare(OrgHasESet.GetValue("UID_ESet").String.ToUpper(), ESet.GetValue("UID_ESet").String.ToUpper()) = 0 Then
'OrgHasESet.Delete()
'OrgHasESet.Save()
'End If
'Next
' Delete all asociated products from shops
Dim collection_ITShopOrgHasESet As IColDbObject = Connection.CreateCol("ITShopOrgHasESet")
collection_ITShopOrgHasESet.Prototype("UID_ESet").IsDisplayItem = True
collection_ITShopOrgHasESet.Load(CollectionLoadType.Slim)
For Each element_ITShopOrgHasESet As IColElem In collection_ITShopOrgHasESet
Dim ITShopOrgHasESet As ISingleDbObject = element_ITShopOrgHasESet.Create()
If String.Compare(ITShopOrgHasESet.GetValue("UID_ESet").String.ToUpper(), ESet.GetValue("UID_ESet").String.ToUpper()) = 0 Then
ITShopOrgHasESet.Delete()
ITShopOrgHasESet.Save()
End If
Next
' extract UID of associated service item and delete system role
Dim UID_AccProduct As String = ESet.GetValue("UID_AccProduct").String.ToUpper()
ESet.Delete()
ESet.Save()
' delete associated service item with the extracted UID
Dim collection_AccProduct As IColDbObject = Connection.CreateCol("AccProduct")
collection_AccProduct.Prototype("UID_AccProduct").IsDisplayItem = True
collection_AccProduct.Load(CollectionLoadType.Slim)
For Each element_AccProduct As IColElem In collection_AccProduct
Dim AccProduct As ISingleDbObject = element_AccProduct.Create()
If String.Compare(AccProduct.GetValue("UID_AccProduct").String.ToUpper(), UID_AccProduct) = 0 Then
AccProduct.Delete()
AccProduct.Save()
End If
Next
↧
Notifying Manager and Resource Owner upon Deprovisiong UNS Accounts
I would like to have an Alert be emailed sent to the user manager and the resource owner when the user entitlment is changed/removed from UNS account user.
Email shoudl have:
Subject: Task Completed by [Name of Administrator]
Task: [Access/Entitlement removed from the employee]
By : [Name of Administrator provided by IdM]
For : [Name Of Employee provided by IdM]
I don't see a method for notifying once the access has been de-provisioned on the UNS target systems. Once the resource owner approved the De-provisioning the system will trigger the deprovisioning process and then the email alert will be sent.
Does anyone out there have any thoughts on how to best accomplish this? Please advise.
↧
↧
History DB: Import Processinformation doesn't work
Hi everybody.
I installed corresponding to our documentation a History DB. The History DB is installed on the same server and uses the same DB User like the Identity Manager DB.
If I start the schedule "Import process information directly" in the History DB Designer
the following error message comes up:
"
Process step parameter 3d23749a-c297-4a5d-a409-baf27a817814:
[Job]
ComponentAssembly=SQLComponent
ComponentClass=VI.JobService.JobComponents.SQLComponent
Task=Execute SQL
Executiontype=INTERNAL
[Parameters]
ConnectionProvider=VI.DB.ViSqlFactory,VI.DB
ProcID=CA5D65EE-4808-4179-A929-D4E8B7EAD4C6
Value=0
WithoutTransaction=True
<x><i>2013-09-02 21:01:27 +02:00 - Info: Last process step request succeeded.<x>
<e>2013-09-02 21:01:27 +02:00 - VI.JobService.JobComponents.SQLComponent - 3d23749a-c297-4a5d-a409-baf27a817814: Errors occured
[810023] Error during execution of statement: exec vi_GetRawFromSource '<DB-Server>', '<Identity Manager DB>', N'', N'', 0
[810143] Database error 266:
[System.Data.SqlClient.SqlException] Transaction count after EXECUTE indicates a mismatching number of BEGIN and COMMIT statements. Previous count = 0, current count = 1.
at VI.JobService.ProcessorThread._ThreadFunction()
at VI.JobService.ProcessorThread._ExecuteJob(Job job)
at VI.JobService.JobComponents.SQLComponent.Activate(String task)
at VI.JobService.JobComponents.SQLComponent.Task_Execute()
at VI.DB.SqlExecutor.SqlExecuteNonQuery(String sqlStatement)
at VI.DB.SqlExecutor.SqlExecuteNonQuery(IQueryProvider provider, IDataParameter[] parms)
---- Start of Inner Exception ----
at VI.DB.SqlExecutor.SqlExecuteNonQuery(IQueryProvider provider, IDataParameter[] parms)
at VI.DB.SqlExecutor._SqlExecuteNonQuery(DbStatement stmt)
---- Start of Inner Exception ----
at VI.DB.Implementation.SafeDbCommand.ExecuteNonQuery()
at System.Data.SqlClient.SqlCommand.ExecuteNonQuery()
at System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(DbAsyncResult result, String methodName, Boolean sendToPipe)
at System.Data.SqlClient.SqlCommand.RunExecuteNonQueryTds(String methodName, Boolean async)
at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
"
and the SQL Log show this:
"
2013-09-02 21:01:26 +02:00 - Info - (5 ms) - select UID_DialogAuthentifier from DialogAuthentifier where (AssemblyName = N'JobComponent') and (Class = N'VI.JobService.JobComponents.DbJobComponent+ComponentAuthenticator') and (IsEnabled = 1)
2013-09-02 21:01:26 +02:00 - Info - (1 ms) - select 1 where exists (select 1 from DialogProductHasAuthentifier where ((UID_DialogAuthentifier = N'07DADCBF-4574-4EB1-A7E0-550315D00F53') and (Ident_Product = N'Default') and (isnull(IsInActive , 0) = 0)))
2013-09-02 21:01:26 +02:00 - Info - (< 1 ms) - select uid_configparm, uid_parentconfigparm, configparm, enabled, value from DialogConfigParm order by fullpath
2013-09-02 21:01:26 +02:00 - Info - (< 1 ms) - select username, vipropertiesdate, vipropertieskey, uid_dialoguser from DialogUser where username = N'sa'
2013-09-02 21:01:26 +02:00 - Info - (< 1 ms) - select uid_database, description, productidentifier from dialogdatabase where IsMainDatabase = 1
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select changecounter from dialogsemaphor where changecontext = N'CONFIG'
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select changecounter from dialogsemaphor where changecontext = N'MODEL'
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select changecounter from dialogsemaphor where changecontext = N'CAPTION'
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select changecounter from dialogsemaphor where changecontext = N'ASSEMBLY'
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select changecounter from dialogsemaphor where changecontext = N'NOTIFICATION'
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select changecounter from dialogsemaphor where changecontext = N'USERDATARESIDENT'
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select changecounter from dialogsemaphor where changecontext = N'RIGHT' and username = N'sa'
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select UID_Database from DialogDatabase where IsMainDatabase = 1
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select xdateupdated from dialogscriptassembly where name = N'WebServices_CD0E9E5ADF4B40389B87A87F21A00B02'
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select xdateupdated from dialogscriptassembly where name = N'VIDScripts_CD0E9E5ADF4B40389B87A87F21A00B02'
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select xdateupdated from dialogscriptassembly where name = N'VIScripts_CD0E9E5ADF4B40389B87A87F21A00B02'
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select xdateupdated from dialogscriptassembly where name = N'Scripts_CD0E9E5ADF4B40389B87A87F21A00B02'
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select ConnectionString, UID_DialogHistoryDB from DialogHistoryDB where isnull(IsInactive, 0) = 0
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select GetUTCDate()
2013-09-02 21:01:27 +02:00 - Info - (< 1 ms) - select changecounter from dialogsemaphor where changecontext = N'USERDATARESIDENT'
"
I doesn't think that this issues is caused by missing permissions.
Kind regards
Georg
↧
How to change column name in a form with Web Designer
Hi all,
I'm currently using Q1IM Web Designer studio to design a form.
On a module I'm modifying the settings...
I would like to modify the column names to display these names in a form
=> Where can I do this ?
Thanks for your help.
↧
Sending mails via Exchange Web Services
I have a customer who informs me that they have switched off SMTP relays and now uses MS Exchange Web Services. We are about to embark on a project with them that will require Q1IM to send email notifications.
I'm not aware of Q1IM supporting Exchange WS natively. Is this something that is going to cause us an issue (that we should budget for in terms of days) ?
Has anyone integrated Q1IM mailing into this type of environment before ? Any hints ?
Thanks
Jon.
↧
Exchange Recipient Type Details 'Mail User' opposed to 'User Mailbox'
Hi All,
Recently we have seen an increase in reactivated ADSAccount Exchange mailboxes being enabled as Recipient Type Details 'Mail User' opposed to 'User Mailbox'. This has prevented some of our users from utilizing a functional mailbox, to correct the issue we need to manually disable the mail user in exchange and reconnect the disconnected mailbox from the mailbox store to this account.
Originally these accounts were 'User Mailbox'. Could there be something in the disable process/enable process that is changing the mailbox type to ‘Mail User’? These accounts are also not contacts or in the contacts container. Any suggestions or tips on places to look would be greatly appreciated. Thanks.
↧
↧
Web Designer - Menu and Submenu : is it mandatory to have a submenu?
Hi all,
Within the Web Designer I want to create a menu called "White pages".
This menu won't need any submenu since the only page is the White pages.
Am I forced to create a submenu to be sure that the main menu is appearing on the web page ?
The screenshot below shows my tree in the WebDesigner with two menu items pointing to the same page
and below the result in the web app
When I remove the submenu in the Web Designer, the whole menu disapear.
=> Is there a solution to display only the main menu ?
Thanks again you for your help !
↧
The function 'sql' is not defined
Hi All,
As per my understanding of the Web Designer Reference Manual, we can use the sql function to pass statements in SQL Server/Oracle syntax directly. But when I try to use the 'sql' function in Web Designer I get the error message "the function 'sql' is not defined". How can I get around this? I'm using version 5.1 of Q1IM.
Thanks in advance,
Febin
↧
Script: change actual employee (UID_RealPerson)
Hello,
I try to update the UID_RealPerson filed with my script but it seems I have insufficient rights. I meet the error below.
2013-09-05 10:55:17 +02:00 - Serious - [810025] Employees: Write permission denied for value "Actual employee".
Below, an overview of my script content.
Person = element_Person.Create()
...
Person.PutValue("IsDummyPerson", "1")
Person.PutValue("UID_RealPerson", "...")
...
Person.Save()
(edit)
Regards,
Serge
↧
How to display drop-down menu for request properties in IT Shop.
Hello,
This might be a simple question...I am using request properties and on one of the fields "Request Type" I would like to display a drop down box with pre-defined values. I have gone into db schema in designer and added the defined list to the column (e.g. Add Account, Change Account, Delete Account)...but now I'm trying to figure out how this can display in IT Shop when the additional information form is brought up (similar to gender field, etc.). Thanks.
Kenny
↧
↧
Enable AUTO Out-Of-Office (OOO) message reply
I am trying to Enable AUTO Out-Of-Office (OOO) message reply for disabled active directory users that own a mailbox in case the employee is terminated or quits.
I have the following powershell scripts to process output of Exchange 2010 PowerShell cmdlets from within a Quest One Identity Manager (Q1IM) process:
Dim theScript As New StringBuilder()
theScript.AppendLine("Get-ADUser -Filter {Enabled -eq $false} -Searchbase 'ou=Disabled Accounts ,Dc=tmglab,DC=local' |" )
theScript.AppendLine("ForEach{")
theScript.AppendLine("Set-MailboxAutoReplyConfiguration -Identity $_")
theScript.AppendLine("-AutoReplyState Enabled")
theScript.AppendLine("-ExternalAudience All")
theScript.AppendLine("-InternalMessage 'Your message to internal users'")
theScript.AppendLine("-ExternalMessage 'Your message to external users'")
theScript.AppendLine("}")
Value = theScript.ToString()
I embeded the script to the VI_EX2K10_ADSAccount_Hide_Mailobject process. But the process doesnt seem working when I send email to the disabled ADS account.
Does anyone out there have any thoughts on how to best accomplish this? Please advise.
↧
Preventing AD Group Removal on Termination
Currently when users are terminated, Q1IM is removing them from their AD groups. What is the easiest way to prevent this behavior?
↧
Creating ADSAccount for two employees with the same firstname and lastname
Hi everyone.
If I try to import data from HR via Data Import tool to create new AD accounts for employees and there are two employees with same name and same lastname (but different ID), I get the follwing error:
The connection mode of the provider was set to Default. Loading import file C:\Program Files (x86)\Quest Software\Quest One Identity Manager\ADSMapping.DLL.XML has changed the object property assignment rules and the member relationships. The access to RAS attributes was set with the value True. The access to terminal properties was set with the value True. [854003] Processing task ADSAccount Insert failed. [997030] Cannot publish object LDAP://MYDOMAINSERVER:389/CN=Firstname Lastname,OU=Users,OU=myOU,OU=myOU,DC=mysubdomain,DC=mydomain,DC=myrootdomain (Message : The object already exists. ). [System.DirectoryServices.DirectoryServicesCOMException] The object already exists.
Both employees should be in the same department and OU. I think the problem is because Q1IM try to set them the same CN which is Firstname Lastname. Because they are in the same OU, Q1IM try to set distinguishedname like DN=Fistname Lastname,OU=myOU,OU=myOutherOU,OU=myAnotherOU,DC=mysubdomain,DC=mydomain,DC=myrootdomain for both.
But if I manually create employee Firstname Lastname and wait Q1IM to create user account and then create another employee Fistname Lastname, Q1IM will change CN for the second employee to Firstname Lastname_1 and this is the behaviour I want.
Why the CN is not changed when I import users through Data Import?
Best regards,
Evgen
↧