Implementing Seek and Destroy (part 2)

In the previous blog post, I have described some of the best practices that are worthy of consideration when designing robust off-boarding processes. In part 1, I talked about how to implement some of these best practices using Oracle Identity Manager. This post is a continuation of the implementation discussion.

Trust but Verify. You need a system of checks and balances, at worst a single control where an alarm will go off somewhere if the terminated employee hasn't been off-boarded. In Oracle Identity Manager (OIM) this is best accomplished via attestation. Attestation tasks could be automatically generated for both (more...)

size sometimes does matter…

Not really. Well... You know what I mean. ;)Anyways, sorry for the "catchy" title. This entry is prompted by some of the ongoing exercise in fine tuning our AIX db servers.AIX is a great OS but the information needed to eek out the last ounce of performance for Oracle dbs is sparse, or across many documents. This blog entry is for my future reference on how to make Oracle use large pages in

Ask Identigral (issue 5)

Ask Identigral is our answer to Dear Abby. According to Wikipedia, "Dear Abby ... is known for its uncommon common sense and youthful perspective", two qualities we're striving for in our blog. Since Abby isn't very good when it comes to identity and access management products' arcana, I together with the rest of Identigral staff have decided to step in and close the gap. Email us your questions about any Oracle identity or access management product(s) and once a week we will post the answers here

We have applied the latest patch to our Oracle Identity Manager installation. Does that mean (more...)

Spring Cleaning

Each spring an annual rite beckons me. Software engineers might call it refactoring, artists prefer the term deconstruction and tres chic museum curators use denouement. The rest of the world calls it cleaning up your mess. Cobwebs are removed, dust is annihilated, furniture is rearranged, (ab)used items are donated or discarded. This is more out of habit (as rites wont to occur), the local microclimate doesn't really require winter clothes to be put away and summer clothes to be readily available. If you go through all this trouble of taking things apart and putting them back together, you (more...)

Resuming transmission…

I've been busy lately: preparing papers and presentations for the upcoming ODTUG, presenting at Hotsos-revisited, and presenting at the Dutch DBA-symposium. All spare time went into these activities, and the Helsinki blog just had to wait in line. But now I intend to resume transmission over here again.A couple of weeks ago I received following comment on this blog:toon,Suppose we have a

OBI Forum Live Second Edition

I’m going to present in the [[http://www.obi-forumlive.nl/|OBI Forum Live]] the next week on the 3th Wednesday of Juny 2009. This second edition is really impressive and as I see that we will have parallel sessions, I’m already very disappointed because I couldn’t assist to all presentations : * Multi-Language Dashboards, [[http://obiee101.blogspot.com|John Minkjan]] * Oracle BI [...]

Implementing Seek and Destroy (part 1)

In the previous blog post, I have described some of the best practices that are worthy of consideration when designing robust off-boarding processes. Here I will go over possible implementation strategies for the first two bullets using Oracle Identity Manager (OIM) as a an automation platform. I'll cover the other two bullets in my next post.

1. Be Fast. In terms of timing, off-boarding should be executed as close as possible to employee walking out the door. What this means is that OIM needs to know about the termination event before it actually happens. One way to accomplish this (more...)

New job, lots of exciting stuff

It’s been a week since I started my new job at Oracle Corporation. I’m a remote worker which means that the first day of work wasn’t the usual event since I just went to my home office and got on a concall with my new manager. After getting connectivity and accounts set up properly, I was able to pretty quickly work through the new hire checklist of forms and mandatory training.

My new Oracle-provided laptop arrived around mid-week and I realized that, at least for now, I’ll have to revert back to using the Windows-based laptop and (hopefully temporarily) put (more...)

Scuba diving pre-ODTUG Kaleidoscope, Monterey, 21-June-2009

I’m very pleased to report that I will be able to meet up with ODTUG Kaleidoscope attendees at both the ODTUG Community Service Day (2nd Annual!) and my own scuba dive outing as well. If you can, I’d love for you to attend both events. If you’re not a certified scuba diver, then you can at least participate in the Community Service Day festivities and help out the local area while enjoying some California weather too!

For those certified scuba divers that will (or can) be in the Monterey Bay area on 21-June, I invite you to come diving (more...)

Seek and destroy

In recent local news that became national news, Abdirahman Ismail Abdi, a former employee of California Water Services Company ("Cal Water"), a local water utility company, attempted to steal $9 million from the company by wiring the money to a bank in Qatar. Fun facts:

  • According to Cal Water's website, they're the largest investor-owned American water utility west of the Mississippi River and the third largest in US. Their parent company, California Water Services Group is a public company traded on NYSE with 2 million customers.
  • The attacker allegedly gained access to computers belonging to two senior executives in two (more...)

VMWare ESXi Hypervisor

Server virtualisation is something I have been using for a few years now both at work and at home. I mainly use VMWare Fusion on my MacBook Pro and VMWare Workstation / Player on an old Windows Laptop. For everyday tasks these products are amazing as i can run an (more...)

Ask Identigral (Issue 4)

Ask Identigral is our answer to Dear Abby. According to Wikipedia, "Dear Abby ... is known for its uncommon common sense and youthful perspective", two qualities we're striving for in our blog. Since Abby isn't very good when it comes to identity and access management products' arcana, I together with the rest of Identigral staff have decided to step in and close the gap. Email us your questions about any Oracle identity or access management product(s) and once a week we will post the answers here

We have a field on our Oracle Identity Manager user profile (Xellerate User object) that (more...)

Cedar Crestone HR System Survey 2009-2010 Available Now

I have been a big fan of Cedar Crestone survey for its sheer ability to combine HR and Technology so well.
Last year results were amazing, those who missed it can have a look at the results here

This year the survey is back with a promise to extend the (more...)

Better Living Through Chemistry

I have always loved the subject of physics, but I am definitely a macro-gal instead of a quantum one. A Newton over Hamilton kind of thing. As a result, chemistry was one of my least favorite subjects in school. Having said this, I recently found that chemistry might actually be helpful in explaining the complexities surrounding the movement of an employee throughout an organization

We start by modeling the organization as a closed system with many molecules, like the Finance molecule, the HR molecule, the IT molecule and so on. Since molecules are made up of atoms, within each departmental (more...)

Give me federation or give me death

Once again, several threads coalesced and lead to this blog. The chief impetus was a question asked on LinkedIn about federated identity management. Since the term federated identity management is somewhat of a misnomer (and a broadside), we'll use an even less accurate but slightly more legitimate federation. To wit, the person asking the question was wondering if federation is "critical" and why organizations are slow to adopt federation for "cross-organizational access"

My response to the question was that federation is not critical and the reasons for slow adoption are mostly standard. It's a fairly new technology with a (more...)

ActiveChgImp:Error in Mapping EngineODIException: DIP_GEN_INITIALIZATION_EXCEPTION

Seems like this week will go to resolve OID issues for us. We had another issue in our dev OID setup, where synchronization with AD is not happening and log says this:
=======================================================
ActiveChgImp:Error in Mapping EngineODIException: DIP_GEN_INITIALIZATION_EXCEPTION
java.lang.NullPointerException
at oracle.ldap.odip.util.DirUtils.getLastChgNum(DirUtils.java:48)
at oracle.ldap.odip.gsi.LDAPReader.initAvailableChgKey(LDAPReader.java:884)
at oracle.ldap.odip.gsi.LDAPReader.initialise(LDAPReader.java:250)
at oracle.ldap.odip.engine.AgentThread.readerInitialise(AgentThread.java:460)
at oracle. (more...)

How the optimizer may use an index for cardinality estimates without actually using it

Uncategorized
| May 18, 2009

Recently I was sent a data warehouse SQL query that performed badly. It took more than an hour and timed out. It was the first time that query was run with a particular parameter. Here I will show that to solve this, I created an index to give the optimizer better information, even though it did not actually use it to execute the query.

If I can, I always try to get a feeling for the cardinality estimates the optimizer makes, inspired at first by Wolfgang Breitling. The optimizer is strongly driven by expected cardinality and miscalculations, especially in the early (more...)

APP-FND-01564: ORACLE error 31202 in changepassword

We had this issue in our production this morning. Our dedicated sysadmin team were not able to change any user password from frontend. They were receiving following error "ORA-20001: Unable to call fnd_ldap_wrapper.update_user".
Issue came to us and we tried changing via FNDCPASS and in log we saw following message"
===============================================================
APP-FND-01564: ORACLE error 31202 in changepassword
Cause: changepassword failed due to ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials. Password Policy Error :9000: GSL_PWDEXPIRED_EXCP (more...)

Use It or Lose It

This blog post is a continuation of Waiting at a Station where I talked about attestation and possible strategies of reducing its scope. The strategy I am proposing is to segment user accounts into active and dormant where the definition of dormant is set by audit guidelines or IT policy; dormant accounts can then be excluded from attestation. At its simplest (and for the sake of this example), we can define dormant as any account that has not been used since the last attestation. If we assume that attestation is done once a quarter, our definition becomes "any account that (more...)

Ask Identigral (Issue 3)

Ask Identigral is our answer to Dear Abby. According to Wikipedia, "Dear Abby ... is known for its uncommon common sense and youthful perspective", two qualities we're striving for in our blog. Since Abby isn't very good when it comes to identity and access management products' arcana, I together with the rest of Identigral staff have decided to step in and close the gap. Email us your questions about any Oracle identity or access management product(s) and once a week we will post the answers here.

We want to use Oracle Identity Manager (OIM) to manage Active Directory (AD) passwords. However, (more...)