ISSUE SUMMARY

GL Data Access Set creation results in invalid roles generation. Because of this I am unable to assign the newly created roles to GL users, and this ultimately results in the inability to open GL first period.

EXPECTED FUNCTIONALITY

Upon creation of a GL Data Access Set, it should automatically generate new 'valid' roles in APM.

These roles are then synchronized in IDM, and assigned to GL Users in LDAP.

The GL users will then be able to choose the Data Access Set when they go to the form for opening 'GL First Period'.

ERROR DESCRIPTION

'APM-10082: The following list of external-role(s) defined in the current template were not found in the identity store: Financial Analyst Controller Chief Financial Officer General Accountant General Accounting Manager'.

'Definition NewRow of type Attribute is not found in ViewDefDimColumnBean158_1413.'

IMPACT

Unable to open GL First Period. Show-stopper for proceeding further on GL implementation.

STEPS TO REPRODUCE

1. Navigate to APN > Search Role Template. Now search by Group Id = DAS

2. Open 'General Ledger Template for Ledger'. As soon as it gets opened, a warning gets displayed on the page 'APM-10082: The following list of external-role(s) defined in the current template were not found in the identity store: Financial Analyst Controller Chief Financial Officer General Accountant General Accounting Manager'. See the screen-shot at this link.

3. Under External Roles tab I can see all the 5 financial roles listed. These are:

• Financial Analyst
• Controller
• Chief Financial Officer
• General Accountant
• General Accounting Manager

4. When I click on 'Policies' tab I get the following error "Definition NewRow of type Attribute is not found in ViewDefDimColumnBean158_1413.". See the screen-shot at this link.

5. I then click on 'Summary' tab and then back at the 'Policies' tab. At this stage I see one role listed there as 'Financial Analyst'. But the bottom region for 'Data Resource' doesn't list GL_ACCESS_SET table. See the screen-shot at this link.

6. In the summary tab I can see that there are a total of 4 Invalid Roles. When I click on 'Preview Roles' button > I see 20 invalid roles listed out there. See the screen-shot at this link.

7. I have tried deleting the invalid roles and re-generating them but the new roles generated are also under 'Invalid' status.

RESEARCH DONE

Applied following fixes (which exactly matches with our issue), but issue still there and remains unresolved:

1. Seeded Data Role Templates Fail with APM Errors in Fusion Applications OnPremise Implementation (Doc ID 1531633.1)

2. Missing ACL Cause Error When Opening Data Role Template in APM (Doc ID 1500200.1)

FINAL SOLUTION

None of the above solutions worked for me, until I had realized the following post provisioning step was NOT run during the IdM installation. And after running the following fix, it resolved the whole problem of GL Data Access Sets. The Data Access Sets are now created automatically.

1. Make a file and save it as idm.props. Write the following syntax in it (adjust it according to your environment).

IDSTORE_HOST: idm117.aclnz.com

IDSTORE_PORT: 3060

IDSTORE_BINDDN: cn=orcladmin 

IDSTORE_USERSEARCHBASE: cn=Users,DC=aclnz,dc=com

IDSTORE_SEARCHBASE: dc=aclnz,dc=com

IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=aclnz,dc=com

POLICYSTORE_HOST: idm117.aclnz.com

POLICYSTORE_PORT:  3060

POLICYSTORE_BINDDN: cn=orcladmin

POLICYSTORE_CONTAINER: cn=FAPolicies

POLICYSTORE_READWRITEUSER: cn=PolicyRWUser,cn=Users,dc=us,dc=aclnz,dc=com

OIM_T3_URL : t3://idm117.aclnz.com:14000

OIM_SYSTEM_ADMIN : xelsysadm

OVD_HOST: idm117.aclnz.com

OVD_PORT: 8899

OVD_BINDDN: cn=orcladmin

2. Now set the environment prior to running this file.

export ORACLE_HOME=/app/oracle/products/app/iam/

export PATH=$ORACLE_HOME/bin:$PATH

export LD_LIBRARY_PATH=$ORACLE_HOME/lib:$LD_LIBRARY_PATH

export MW_HOME=/app/oracle/products/app

export ORACLE_SID=idmdb

JAVA_HOME=/app/fusion/jdk6

export JAVA_HOME

export PATH=$PATH:$JAVA_HOME

ANT_HOME=/app/fusion/provisioning/ant

export ANT_HOME

3. Run the following idmConfigTool.sh file:

 /app/oracle/products/app/iam/idmtools/bin/idmConfigTool.sh -postProvConfig input_file=idm.props

The log will look something like this:

Enter Policy Store Bind DN password :

Enter ID Store Bind DN password :

Enter OIM_SYSTEM_ADMIN_PWD :

Enter OVD_PASSWD :

Apr 25, 2014 11:49:00 AM oracle.ldap.util.LDIFLoader loadOneLdifFile

INFO: -> LOADING:  /app/oracle/products/app/iam//idmtools/templates/oid/appid_pwdpolicy.ldif

Apr 25, 2014 11:49:00 AM oracle.ldap.util.LDIFLoader loadOneLdifFile

INFO: -> LOADING:  /app/oracle/products/app/iam//idmtools/templates/oid/policystore_group_aci.ldif

Apr 25, 2014 11:49:01 AM oracle.ldap.util.LDIFLoader loadOneLdifFile

INFO: -> LOADING:  /app/oracle/products/app/iam//idmtools/templates/oid/rgx_appid_membership.ldif

Initialising variables for reconciliation tasks

4. Finally go to Oracle Entitlements Server (APM) > Search Role Template. Now search by Group Id = DAS

5. Open 'General Ledger Template for Ledger' > Go to Summary tab > Delete all the Invalid Roles > Hit the 'Generate' button and it will immediately generate 20 roles (based on your environment).

6. You can then go to OIM System Administrator > Assign the newly generated roles to the your GL implementation users. However you must synchronize these roles with LDAP and IDM first (otherwise you wouldn't be able to see them in IDM).

7. It was quite challenging and alas it was resolved after a work of approximately a week.