It's all about IAM

Identity And Access Management - Rajiv Dewan

Provisioning Through API - OIM 11g R2 PS1

Here is the code to initiate provisioning through code:

public void provisionAccess(ProvisioningService provisioningService, ApplicationInstanceService applicationInstanceService){
 oracle.iam.provisioning.vo.ApplicationInstance applicationInstance;
 try {
        applicationInstance = applicationInstanceService.findApplicationInstanceByName("AD User");
            long applicationInstanceKey = applicationInstance.getApplicationInstanceKey();
            FormInfo accountForm = applicationInstance.getAccountForm();
            long formKey = accountForm.getFormKey();
            AccountData accountData = new AccountData(String.valueOf(formKey), null, new HashMap());
            oracle.iam.provisioning.vo.Account account = new Account(applicationInstance, accountData);
            provisioningService.provision("1111", account); // 1111 is the Beneficiary Key
        } catch (ApplicationInstanceNotFoundException e) {
        } catch (GenericAppInstanceServiceException e) {
        } catch (oracle.iam.platform.authopss.exception.AccessDeniedException e) {
        } catch (UserNotFoundException e) {
        } catch (GenericProvisioningException e) {
        } catch (Exception e) {

Office 365 - Add / Remove License in Bulk

We can add/remove license in office 365 from a csv file. You can have a csv file which will contain principal names of all the users for whom you want to add/remove license. Header will be UserPrincipalName.

And execute these commands:

Connect-MsolService --> Provide username and password 

Get-MsolAccountSku |ft AccountSkuId   

--> Above command It will return values like :EXCHANGESTANDARD

Add License:

$AccountSkuId="PROVIDE_VALUE_HERE"                      --> Provide Value here
PROVIDE_VALUE_HERE                    --> Provide Value here like US, IN
$Users=Import-Csv C:\Users.csv
$Users | ForEach-Object {
Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation
Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $AccountSkuId

Remove License:

$AccountSkuId="PROVIDE_VALUE_HERE"                     --> Provide Value here
PROVIDE_VALUE_HERE                    --> Provide Value here like US, IN
$Users=Import-Csv C:\Users.csv
$Users | ForEach-Object {
Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation
Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -RemoveLicenses $AccountSkuId

FVC (Form Version Control Utility)


If we add new field(s) in Process Form, that field won't be available for the existing provisioned users.


FVC (Form Version Control Utility) comes with OIM which updates the form which are associated with existing users.




Replace PROCESS_FORM_TABLE  with actual process form i.e. "UD_XXX"

Weird Issue With LDAP/ICF Connector


Integrated ODSEE (LDAP) with OIM 11g R2 PS1 using OID- connector. Wanted to test the reconciliation with one user so I gave the filter as equalTo('uid','RAJIVDEWAN') and ran the reconciliation; No reconciliation event generated.


Changed the filter from:




And I was able to see the reconciliation event. 

I don't know whether it's a connector issue or it's an ICF issue.

OIM - OIA Integration : Exception While Importing Data from OIM

Integration: OIM - OIA
Use Case: Import Users/Accounts etc

Cause: java.sql.SQLException: Unable to start the Universal Connection Pool: oracle.ucp.UniversalConnectionPoolException: Invalid connection validation SQL statement

Expected Solution:
  1. Verify connection parameters in
  2. Verify password property in iam-context.xml (proper line must be commented out for password)
  3. Make sure that should not have spaces around "=" for 
    • oim.jdbc.username
    • oim.jdbc.url
    • oim.jdbc.driverClassName
    • oim.jdbc.password.encrypted

ICF Usability Issue

I was working with ICF Connector and faced some usability issue. In older connectors, when some operations don't get completed properly, we used to get proper responses like "CONNECTION_FAILURE", "USER_ALREADY_EXIST", "USER_ALREADY_DISABLED" etc. In ICF connector, though we have different responses in Responses tab but most of time, it returns only "CONNECTOR_EXCEPTION".
Task responses don't tell you anything about the cause of failure so it means every-time we are dependent on the connector logs.

We have defined different levels for OIM support L1, L2 and L3.  L2 people just use OIM UI to find the root cause of the issue as they are not OIM guys and L3 people go through the logs for finding the root cause.  But after using ICF connector, it seems that we'll have to remove L2 support from OIM projects and need to add more people in L3 support. ;-)

API Bug: OIM 11g R2 PS1 API (ProvisioningService)

We were trying OIM 11gR2 PS1 API and faced some weird issue. We wanted to fetch the data from Child Form using new APIs (recommended). We found that it is giving the same value again and again.

Suppose we have 5 rows in Child Form for a user i.e. Role1, Role2, Role3, Role4, Role5 but API is returning Role5 five times.

We faced this issue only with New APIs (ProvisioningService) not with Old APIs. Finally, I found that it's a bug with the new API.

Root Cause and Bug Fix:

Method Name: getFormData()
Modification Required: Add  below line inside for loop
formData = new HashMap();

Role Category Export : OIM 11g R2 PS1

I was just working for a client (OIM 11g R2 PS1) where I created 30 - 50 Role Categories. I want to deploy these "Role Categories" in my Stage environment. I went to deployment manager and here are the options which I found in OIM 11g R2 PS1 Deployment Manager:


Workarounds have been used.

Performance Monitoring in OIM 11g R2 PS1

Use the below URL to do Performance Monitoring in OIM 11g R2 PS1:




Weird Behavior : Role Membership OIM 11g R2 PS1


  • Assigned a role to a user (through request/direct). 
  • Verified the role membership through user entity as well as through role entity 
  • Membership existed at both the places
  • Disabled the user
  • Verified the role membership through role entity, user got removed from the role
  • Verified the role membership through user entity, role was still there
  • Verified from Database end, user was still having role membership there

Expected Result:

  • Role membership must remain with user because there's no membership rule associated with role on user status attribute
  • Role Entity UI and User Entity UI must be in synch

Expected Issue :

It's an issue with the API. It only returns Active users.

Hint for Product Team: appendActiveUsersCriteria

Role Membership Through Role Entity

Role Membership Through User Entity