SQL Queries useful for OIM Operations

1.       To get the user list/details provisioned with particular entitlement 

Select usr_login,USR_DISPLAY_NAME,USR_UDF_EMPLOYEEID,ENT_CODE,ENT_Value,ENT_ASSIGN_UPDATE

from usr inner join ent_assign

on ent_assign.usr_key=usr.usr_key

inner join ent_list

on ent_list.ent_list_key=ent_assign.ent_list_key

where lower(ent_code) like '%=<ent code>%'

and usr_status = 'Active'

and obj_key=<Resource Object key>

order by usr_login;

 

2.       To get the list of entitlements provisioned to the user associated with Enabled/Provisioned accounts:

select * from ent_assign, usr ,catalog, oiu, ost, orc where ent_assign.ent_list_key=catalog.entity_key and Ent_assign.usr_key=usr.usr_key and ent_assign.oiu_key=oiu.oiu_key and ost.ost_key=oiu.ost_key and oiu.orc_key=orc.orc_key and usr.usr_login=<User Login>;

 

 

3.       To get the request details on the basis of request status

 

select IDENTIFICATIONKEY "Request ID",usr_login "Requestor ID",usr_display_name "Requestor’s Name",

REQUEST_CREATION_DATE "Requested Date",rbe_entity_type, rbe_entity_name,

ASSIGNEES "Approver ID",ASSIGNEESDISPLAYNAME "Approver’s Name",ASSIGNEDDATE "Assigned Date",REQUEST_STATUS "Request Status",EXPIRATIONDATE "Expiry Date"

from WFTASK

inner join request on request_id=IDENTIFICATIONKEY

inner join usr on REQUESTER_KEY=usr_key

inner join request_beneficiary_entities on request_key=rbe_request_key

where assigneddate between to_date('01-10-2019','DD-MM-YYYY') and to_date('31-12-2019','DD-MM-YYYY')

and request_status in ('Request Rejected','Request Withdrawn')

and ASSIGNEES not in ('xelsysadm,user','SYSTEM ADMINISTRATORS,group')

order by ASSIGNEDDATE DESC;

 

4.       To get the rejected tasks count for the resource object in particular time period

select  count(*),MIL.MIL_NAME,obj_name

FROM OSI

inner join SCH on SCH.SCH_KEY=OSI.SCH_KEY

inner join STA on STA.STA_STATUS=SCH.SCH_STATUS

inner join MIL on OSI.MIL_KEY=MIL.MIL_KEY

inner join TOS on MIL.TOS_KEY=TOS.TOS_KEY

inner join PKG on TOS.PKG_KEY=PKG.PKG_KEY

inner join OIU on OSI.ORC_KEY=OIU.ORC_KEY

inner join USR on OIU.USR_KEY=USR.USR_KEY

inner join OST on oiu.ost_key = ost.ost_key

inner join OBJ on OST.OBJ_KEY=OBJ.OBJ_KEY

inner join ORC on orc.orc_key = oiu.orc_key

WHERE to_date(to_char(sch_actual_start,'DD-MM-YYYY'),'DD-MM-YYYY')

between to_date('01-01-2018','DD-MM-YYYY') and to_date('01-01-2019','DD-MM-YYYY')

and usr_status='Active'

and obj_name= '<Resource Object Name>'

and ost_status in ('Provisioned','Enabled','Disabled')

and sta_bucket ='Rejected'

group by MIL.MIL_NAME,obj_name;

 

5.       To get list of all the rejected tasks

Select * from osi, sch, mil , orc,usr, oiu where orc.orc_key=osi.orc_key and sch.sch_key=osi.sch_key and oiu.orc_key=orc.orc_key and oiu.usr_key=usr.usr_key

and osi.mil_key=mil.mil_key and sch.sch_status='R';

 

6.       To get all entitlements attached to policies linked to a role

 

select * from pol, ugp,pog, poc where pol.pol_key=pog.pol_key

and poc.pol_key=pol.pol_key and pog.ugp_key=ugp.ugp_key and

ugp.ugp_name like '<Role Name>';

 

 7.      To get List of role names against associated application instances evaluated through access         policies

select ugp.ugp_name, app_instance.app_instance_display_name from pol,ugp, pog , pof,obj,svr,app_instance

where pol.pol_key=pog.pol_key and

pog.ugp_key=ugp.ugp_key and pof.pol_key=pol.pol_key and obj.obj_key=pof.obj_key

and app_instance.itresource_key=svr.svr_key and

to_char(svr.svr_key)=pof.POF_FIELD_VALUE ;

                       

8. To get list of users associated with role and evaluated with access policy attached to it.

select  usr.usr_login, ugp.ugp_name,ent_list.ent_display_name,pol.pol_name from poc,ent_list,ent_assign,pol,pog,ugp,usr where poc.poc_field_value=ent_list.ent_code and poc.pol_key=pol.pol_key

and ent_assign.ent_list_key=ent_list.ent_list_key and pog.ugp_key=ugp.ugp_key and pog.pol_key=pol.pol_key

and ent_assign.usr_key=usr.usr_key

and  ugp.ugp_key in (select ugp.ugp_key from pol,ugp, pog , pof,obj,svr,app_instance

where pol.pol_key=pog.pol_key and

pog.ugp_key=ugp.ugp_key and pof.pol_key=pol.pol_key and obj.obj_key=pof.obj_key

and app_instance.itresource_key=svr.svr_key and

to_char(svr.svr_key)=pof.POF_FIELD_VALUE and app_instance_display_name=<Application instance display name>)

and  usr.usr_status='Active';

 

9.       To  get all the Users having specific account provisioned.

    SELECT USR.USR_LOGIN, USR.USR_FIRST_NAME, USR.USR_LAST_NAME

FROM OBJ, OBI, OIU, OST, USR

WHERE OBJ.OBJ_KEY = OBI.OBJ_KEY

AND OBI.OBI_KEY = OIU.OBI_KEY

AND OIU.USR_KEY = USR.USR_KEY

AND OIU.OST_KEY = OST.OST_KEY

AND OST.OBJ_KEY = OBJ.OBJ_KEY

AND OST.OST_STATUS IN ('Enabled','Provisioned')

AND OBJ.OBJ_NAME = '<Resource Object Name>';

 

 

10     To get all the User's provisioned/enabled accounts.

SELECT OBJ.OBJ_NAME, OST_STATUS

FROM OBJ, OBI, OIU, OST, USR

WHERE OBJ.OBJ_KEY = OBI.OBJ_KEY

AND OBI.OBI_KEY = OIU.OBI_KEY

AND OIU.USR_KEY = USR.USR_KEY

AND OIU.OST_KEY = OST.OST_KEY

AND OST.OBJ_KEY = OBJ.OBJ_KEY

AND OST.OST_STATUS IN ('Enabled','Provisioned')

AND USR.USR_LOGIN = '<User_Login>';

To get all the list of users provisioned to application between the dates

select distinct usr_login, usr_email, usr_status, ost_status, sch_actual_start, mil_name

FROM OSI 
inner join SCH on SCH.SCH_KEY=OSI.SCH_KEY 
inner join STA on STA.STA_STATUS=SCH.SCH_STATUS 
inner join MIL on OSI.MIL_KEY=MIL.MIL_KEY 
inner join TOS on MIL.TOS_KEY=TOS.TOS_KEY 
inner join PKG on TOS.PKG_KEY=PKG.PKG_KEY 
inner join OIU on OSI.ORC_KEY=OIU.ORC_KEY 
inner join USR on OIU.USR_KEY=USR.USR_KEY 
inner join OST on oiu.ost_key = ost.ost_key 
inner join OBJ on OST.OBJ_KEY=OBJ.OBJ_KEY 
inner join ORC on orc.orc_key = oiu.orc_key 
WHERE to_date(to_char(sch_actual_start,'DD-MM-YYYY'),'DD-MM-YYYY') between to_date('01-01-2018','DD-MM-YYYY') and to_date('01-07-2018','DD-MM-YYYY')
and 
ost_status in ('Provisioned','Enabled','Disabled')
and sta_bucket ='Completed'
and MIl_name ='Create User'

and upper(obj_name) like '%AD%';

Password Sync connector Installation and Upgrade

Install Password sync connector on Active Directory Domain Controller.

1.       On the Microsoft Active Directory host computer, run the installer as follows:

a. Unzip MSFT_PSync_91150.zip to a temporary directory.

b. In the temporary directory, run the setup.exe file to start the installer.

2.       On the Welcome page, click Next.

3.       On the next page, click Next.

4.       On the screen enter the Installation path and click Next. 

5.       On the Active Directory Configuration Parameters page, enter the below details.

Domain = xyz.com

Port = 389

Host = Domain Controller host name on which the connector installation is carried out.

Persistent Store = OU=OIMPS

click Next.

 

6.       On the second Active Directory Configuration Parameters page, enter values

or the following fields:

User = oimpassword@xyz.com  < Active directory service account having administrator group access>

Password = <Account’s password>

Log File Path = Default Path < Or change it as per the standard >

click Next.

 

7.      On the Oracle Identity Manager Configuration Parameters page, specify the below values.

Host = oim.xyz.com < OIM Server Host >

Port = 443 < OIM Server Port >

Administrator Login = xelsysadm < OIM Admin account user Name >

Administrator Password = < Admin account’s password >

OIM User Attribute = Users.User ID <Attribute to link AD account with OIM User >

OIM Application Server Type =  Weblogic

UseSSL = Yes

Client Certificate Subject Name = *.xyz.com

click Next.

 

8.       On the Configuration Parameter Information page, enter values for the following fields.

Time Interval = 1 < seconds the connector sleeps between processing password change

events.>

Maximum Retry = 5

click Next.

 

9.       Click Next on Summary Page.

10.      Copy the oimadpwdsync10.dll and orclmessages.dll files from the Windows\SysWOW64 directory to the WINDOWS\system32 directory.

11.       Click Next to complete the installation and restart the server.

12.       Enable logging for the connector.

·         Open Registry Editor, using regedit command in Run dialog box.

·         Navigate to the following key to enable AD Logs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Con-trol\Lsa\oimpwdsync\ADConfig

·         On the right pane, double-click the Log value. Enter Y in the dialog box.

·         Navigate to the following key to enable OIM Logs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Con-trol\Lsa\oimpwdsync\OIMConfig

·         On the right pane, double-click the Log value. Enter Y in the dialog box.

·         Restart the servers.

 

13.       Apply the recommended patch or latest p27948293_91150_MSWIN-x86-64.zip.

·         Unzip the p27948293_91150_MSWIN-x86-64.zip file to a temporary location.

·         Copy %WINDIR%\System32\oimadpwdsync10.dll to a backup location.

·         Rename %WINDIR%\System32\oimadpwdsync10.dll to %WINDIR%\System32\oimadpwdsync10.dll_default.

·         Copy ExtractedPatchLocation\MSFT_AD_PSync_9.1.1.5.16\lib\win64\oimadpwdsync10.dll to %WINDIR%\System32

·         Modify ExtractedPatchLocation\MSFT_AD_PSync_9.1.1.5.16\ Update_oimpwdsync.reg as per the requirement.

·         Run the Update_oimpwdsync.reg file.

·         Restart the server.

Testing

1.       Change a User’s Password on the Domain Controller Active Directory.

2.       Verify the logs are populated accordingly.

3.       User can login in OIM with the updated Password.

End User Testing

1)      Windows password change should be propagated to OIM and user can login with the changed Password.