Error while inserting in PersonWantsOrg

February 13, 2014, 9:51 am

Hi,

I'am using a script that inserts objects in PersonWantsOrg table and I run sometimes a following exception:

[810008] Could not save object Request procedures ("PersonName" - 02/13/2014 16:07:48).
[881173] This employee is not authorized to place an request here. (Possibly wait for the DBScheduler evaluation)

Actually I'am working on two environments, and this exception is generated only on one of them althought the procedures are the same...

Could you please help me to understand a cause of this issue?

Regards,

Anton

↧

Customizing IT-shop

October 3, 2013, 3:29 am

≫ Next: Query Parameters In Report Editor

≪ Previous: Error while inserting in PersonWantsOrg

Hi everyone.

I would like to hide some options in IT-Shop. First of all I would like to hide menu option "My business ownerships". Then I would like to hide "Mail subscriptions" under My profile. Is this possible to achieve with some configuration parameters or do I have to do this via WebDesigner? Any suggestions how to do this would be great!

Additionally, I would like to add a dropdown list beside login name text field on the first page (login page).

Thanks for help.

Evgen

↧

Query Parameters In Report Editor

October 16, 2013, 1:08 pm

≫ Next: ADSGroup Synchronization Errors

≪ Previous: Customizing IT-shop

Hello Quest Community,

I've been working with Report Editor and am attempting to come up with a subscribable report that when run will pull up the members of a group. The parameter I want to use is the cn of the ADSGroup. Below is the statement I'm using in the Data Source and the parameter settings. When I run the report in Manager I'm prompted to enter the group name and it doesn't pull any errors but instead comes up with a blank report page. I think my issue is in the settings I have for the parameter. Any help would be appreciated.

↧

ADSGroup Synchronization Errors

February 5, 2014, 3:15 pm

≫ Next: Best practise question: How to prevent a process to be executed, if the root process is not parent

≪ Previous: Query Parameters In Report Editor

Recently I've noticed that ADSGroup memberships between the Active Directory environment and IdentityManager are showing a larger disparity where membership removals in AD are not being detected and updated in IdentityManager even after a synchronization is run. I've run multiple simulations with synchronizations running full synchronizations and just specific Object Types (Groups + ADSGroupMember). These syncs always are set with IdentityManager as the slave system so group membership removals will be deleted and any new direct assignment membership will be updated in the IdentityManager Db. (see image)

The synchronization has failed consistently with errors as seen below for multiple Groups and Users.

tart processing objects / relation of type "ADSGROUPMember" using following settings:

database amount : IGNORE,

intersection amount: UPDATEDB,

namespace amount: IMPORT - USN optimization False.

[854011] Error processing M:N relations of CN=\#Some DL,OU=Distribution Lists,OU=Location,OU=Location Data Center,OU=NA,DC=1234,DC=net in database.

[921056] Error inserting relation CN=Some Group,OU=Groups,OU=Contacts,OU=NA,DC=1234,DC=net - CN=\#Covidien Sales Force.com Support,OU=Distribution Lists,OU=Mansfield01,OU=Mansfield Data Center,OU=NA,DC=thcg,DC=net into database table ADSAccountInADSGroupTotal.

[854041] No relation definition exists for object type publicFolder in relation block ADSGROUPMember .

[854011] Error processing M:N relations of CN=\#Some DL1,OU=Distribution Lists,OU=Location,OU=LocationData Center,OU=NA,DC=1234,DC=net in database.

[921056] Error inserting relation CN=Some User,OU=Misc,OU=Contacts,OU=NA,DC=1234,DC=net - CN=\#Some DL3,OU=Distribution Lists,OU=Location,OU=LocationData Center,OU=NA,DC=1234,DC=net into database table ADSAccountInADSGroupTotal.

[854011] Error processing M:N relations of CN=\#Some other DL,OU=Distribution Lists,OU=Location2,OU=Location2 Data Center,OU=NA,DC=1234,DC=net in database.

[921056] Error inserting relation CN=Some User,OU=Misc,OU=Contacts,OU=NA,DC=1234,DC=net - CN=\Some DL 3,OU=Distribution Lists,OU=Location2,OU=Location2 Data Center,OU=NA,DC=1234,DC=net into database table ADSAccountInADSGroupTotal.

Has anyone encountered a similar issue with sychronizations? This disparity is causing owners to be unable to manage their groups and put additional pressure on the call center .

↧

Best practise question: How to prevent a process to be executed, if the root process is not parent

November 27, 2013, 7:57 am

≫ Next: Schema Extension running out of available resources for columns

≪ Previous: ADSGroup Synchronization Errors

Hi community,

we need to prevent a process to be executed during a daily target system reconciliation. The process cascade is defined as follows:

1. Read the target system data and store it to a custom table via import script

=> This generates Inserts, Updates and Deletes on the custom table.

2. Update templates on UNSAccountB (as reaction on updates from step 1) via ExectionTemplate-job.

=> This generates updates on UnsAccountB

3. Updates on UnsAccountB (with the involved XproxyContext) generate communication with a REST-webservice

We need to suppress step 3 but not step 2 in the cascade (and only in this cascade, not in general!). Normally we archive this via Connection.variables, but setting and removing them in Step 1 prevents only step 2 not step 3 with proper generating conditions from execution.

=> The connection.variables seem to be inherited one process generation only.

An idea is to use configuration parameters instead of connection.variables, but this doesn't feel right. Additionally we can't use generating conditions that lean on data diffs ($test$[o]<>...) aso...

So, what is your suggestion?

Thanks a lot,

↧

Schema Extension running out of available resources for columns

December 10, 2013, 12:09 pm

≫ Next: Password Generation, Its storage on IDM (encrypted) and Synchronization with Target system using QIM

≪ Previous: Best practise question: How to prevent a process to be executed, if the root process is not parent

I'm trying to add a column to a table with Schema Extension and on the Configure Columns page, I see that Free bytes: is n/a and Free columns is n/a. And when I click the add column button, it won't let me press OK to save the new column I try to add.

I don't see why I would be out of resources, especially for some of the smaller tables I'm using. Has anybody encountered this before or know of a solution?

↧

Password Generation, Its storage on IDM (encrypted) and Synchronization with Target system using QIM

January 22, 2014, 2:57 am

≫ Next: Which permission needed to stop DBScheduler processing?

≪ Previous: Schema Extension running out of available resources for columns

Scenario:

We want to manage the user password centrally for QIM connected systems such that when users are created in QIM their passwords are generated (through QIM), stored on QIM in a secured way and then synchronized with end systems. Solution should be able to store the encrypted passwords on QIM (in case a new target system gets added to the list, it should be able to retrieve the user password and synch it with the target system).

In the existing process, user records are planned to be created from HR into QIMusing scheduled dataImporter script.

Below is what we understand about QIM:

"Central password" attribute on person table is not encrypted in the DB, hence we cannot store the generated password in the central password attribute (security risk) as the same password will be pushed to all the target systems.
There is another attribute (Password OR DialogPassword) that stores user password in encrypted form (with a secret salt) and can be set while creating user on QIM. We can potentially use this attribute to store the central password but we would need a mechanism to decrypt it and push it to end systems

IDM requirements for password synch:

Typically IDM suites have a proprietary way of encrypting and storing the password on IDM system. This is not generally directly accessible to the developers, IDM tool accesses the APIs internally to decrypt the passwords to push to end systems (for security reasons). In our scenario if we decide to store the password in “Central password” attribute and choose to encrypt it we need below 2 things:

a way to encrypt so that passwords cannot be decrypted by anyone except the APIs accessible only to the IDM tool.
a way to decrypt the password through the APIs provided by the IDM tool.

Questions:

I am sure that this scenario has been faced by people while implementing Password Sync for connected systems. Just wanted to understand what is the recommended way of implementing password generation, storage on IDM (encrypting and decrypting) and synchronizing the password with the target systems. Primary concern here is maintaining the security of the central password as we need to keep it on QIM and decrypt it as needed for synchronization.

↧

Which permission needed to stop DBScheduler processing?

January 31, 2014, 1:02 am

≫ Next: Manually fire templates

≪ Previous: Password Generation, Its storage on IDM (encrypted) and Synchronization with Target system using QIM

Hello *,

do you know which permission is responsible for the "Stop DBScheduler in database" function in the "Emergency stop" window of JobQueueInfo?

I know the program functions Common_ShowDBSchedulerInfo and Common_StartDBScheduler, but something similar for stopping it does not seem to exists. Edit permissions on DialogDatabase.IsDBSchedulerDisabled don't seem to be sufficient. Process Orchestration Guide mentions "necessary administration permissions" without naming them.

Any hint will be appreciated.

cu,

Oliver

↧

Manually fire templates

July 19, 2013, 2:52 am

≫ Next: I am getting an error when trying to start the SQL Agent manually from the Job Queue Info tool. See below:

≪ Previous: Which permission needed to stop DBScheduler processing?

Hi.

I have another question. I have added some custom attributes to Q1IM with Schema extension tool. I have written custom templates for the attributes. Now I want to "fire templates" on existing users to populate those attributes. Additionally I would like to do just on one department/OU.

Is it possible?

Thanks.

Evgen

↧

I am getting an error when trying to start the SQL Agent manually from the Job Queue Info tool. See below:

September 17, 2013, 1:17 pm

≫ Next: Dynamic Roles Membership Calculation

≪ Previous: Manually fire templates

Error during execution of statement: declare @Jobname_Agent nvarchar(256) select @Jobname_Agent = dbo.vid_SchedulerPkg_JobName_prep(N'VID_DBSCHEDULER') exec dbo.vid_SchedulerPkg_StartJob @Jobname_Agent Database error 14262: detected in (SRV=NEDMCSSQL037SG2\INF5, DB=Q1IM) Procedure sp_verify_job_identifiers, Line 41 Database error 14262: The specified @job_id ('5E54FEDB-BBCC-497D-B4BF-812F94E04561') does not exist.

↧

Dynamic Roles Membership Calculation

January 7, 2014, 4:30 am

≫ Next: Designer - Use VI_ElementNavigation form definition for a custom object

≪ Previous: I am getting an error when trying to start the SQL Agent manually from the Job Queue Info tool. See below:

Hi Team,

I have configured a business role 'Provision Active Directory' and associated a dynamic role 'Person in Resource Access: Provision Active Directory' with a valid condition configured. I have also attached the dynamic role to the default schedule 'default schedule dynamic roles check' that I have configured to execute every 1 minute.

My requirement is - When a new user is created in D1IM, the dynamic role membership should be evaluated immediately and the user should be assigned the business role. However in my envrionment, I see that happening only when I start the DBScheduler manually. I have also set the parameter - QER\Structures\DynamicGroupCheck\CalculateImmediatelyPerson.

Could anyone point me to any configurations that I might be missing?

Thanks,

Priya

↧

Designer - Use VI_ElementNavigation form definition for a custom object

September 19, 2013, 4:58 am

≫ Next: Database - Generate a DialogUserPassword

≪ Previous: Dynamic Roles Membership Calculation

Hi all,

My objective is to create a new object type and being able to display this object in the Manager tool in the Business Role section.

To do so, I performed as follows.

I created a new object in Q1IM with Schema Extension tool and now I'm using the designer to add menus and forms to the Manager.

I went to "User Interface>User interface navigation>Manager" and in the navigation tree I added a navigation tree (see below).

In "Menu item" I entered a name, a type and a caption

In "List" I entered a display name, an object, an icon and I selected "insertion in list permitted" and "Deletion in list permitted".

After this, I went to "User Interface>Forms" and I created a sheet where I specified to use the "VI_ElementNavigation" form definition

After all this, I commited an compiled the database and almoste everything is ok except that when I use the Manager to have an ovrrview of this object I got a white page.

It seems I'm almost there but I can't find out what I forgot to do.

=> Does someone have any idea of what I forgot ?

Thank for your help,

Steph.

↧

Database - Generate a DialogUserPassword

December 11, 2013, 11:57 am

≫ Next: Provisioning UNS Account via QC

≪ Previous: Designer - Use VI_ElementNavigation form definition for a custom object

Hi all,

I would like to use an SQL statement to modify the DialogUserPassword, something like :

UPDATE person SET DialogUserPassword = '<my encrypted password>' where personnelNumber = '12345'

Does anyone of you know how to generate <my encrypted password> ??? I think that I should use the Dialog User Salt attribute but I don't knowhow.

Thank you for your help and best regards,

Steph.

↧

Provisioning UNS Account via QC

August 26, 2013, 7:51 am

≫ Next: Sync Person - jpegPhoto to AD

≪ Previous: Database - Generate a DialogUserPassword

I am trying to import some UNS accounts from CSV files with Quest One Quick Connect. The import failed and got the following error messgaes. Please advise how I would solve this or what is the best practice to import CSV files via QC? The following is the error message I am getting:

Could not save object User accounts (Rick Cannon, (TMGTest)).

Error during execution of statement: insert into UNSAccountB (AccountName, CanonicalName, cn, DistinguishedName, IsGroupAccount, UID_UNSAccountB, UID_UNSContainerB, xdateinserted, xdateupdated, XObjectKey, XProxyContext, XUserInserted, XUserUpdated) values (N'RCANNON23', N'Rick Cannon,', N'Rick Cannon', N'CN=Rick Cannon,', 1, N'2cc78d79-e6b0-4ed7-82e6-82b4092a0857', N'TMGTest', GetUTCDate(), GetUTCDate(), N'<Key><T>UNSAccountB</T><P>2cc78d79-e6b0-4ed7-82e6-82b4092a0857</P></Key>', N'TMGTest', N'QuickConnect', N'QuickConnect')

Could not insert object into UNSAccountB because related object in UNSContainerB does not exist (rule R/1502).

↧

Sync Person - jpegPhoto to AD

September 26, 2013, 5:30 am

≫ Next: SUSE - Error job server

≪ Previous: Provisioning UNS Account via QC

Does anyone know how I can get the jpegPhoto in the Person table to sync to Active Directory? There doesn't seem to be a default mapping for this and trying to use Quick Connect to sync the data results in mismatch in data types.

↧

SUSE - Error job server

October 2, 2013, 7:39 am

≫ Next: Customizing IT-shop

≪ Previous: Sync Person - jpegPhoto to AD

Hello,

Since we have installed job server on SLES (http://communities.quest.com/message/87389#87389), we meet the error above. We have to restart the daemon to fix it, but this is really problematic.

Does someone have already encountered this problem?

2013-10-02 00:07:57 +02:00 - VI.JobService.JobComponents.ScriptComponent - 136eaa8f-06ca-4a35-80f6-669a21c4354e: Errors occured
    [System.ComponentModel.Win32Exception] ApplicationName='mono', CommandLine='StdioProcessor.exe', CurrentDirectory='/home/visvc/JobService'
      at VI.JobService.ProcessorStdIO.ExecuteJob (VI.Base.JobProcessing.Job job) [0x00000] in <filename unknown>:0
      at VI.JobService.ProcessorStdIO.get__Processor () [0x00000] in <filename unknown>:0
      at VI.JobService.ProcessorStdIO._StartProcessor (System.String exe, System.String args) [0x00000] in <filename unknown>:0
      at System.Diagnostics.Process.Start (System.Diagnostics.ProcessStartInfo startInfo) [0x00000] in <filename unknown>:0
      at System.Diagnostics.Process.Start_common (System.Diagnostics.ProcessStartInfo startInfo, System.Diagnostics.Process process) [0x00000] in <filename unknown>:0
      at System.Diagnostics.Process.Start_noshell (System.Diagnostics.ProcessStartInfo startInfo, System.Diagnostics.Process process) [0x00000] in <filename unknown>:0

Regards,

Serge

↧