OIM 11.1.1.5 provisioning role based objectclasses and attributes

Similar Messages

• Role based security and ACLs

  Hello,
  I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
  Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
  So:
  1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
  2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
  3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
  Your response is appreciated.

  Hello,
  I have a question regarding Roles and ACLs. I understand that I can use one or more security realms to host users, groups, and ACLs. (In fact I am implementing a custom realm for users and groups like RDBMSRealm, and wanted WLPropertyRealm to handle ACL/permission based duties.)
  Reading the "Writing a Web Application" it is apparent that ACLs are not supposed to be used for Servlets/JSP anymore, but rather to map roles to security principals via the deployment descriptor files for the web application.
  So:
  1. I assume that Weblogic will determine, once I have authenticated the user in my realm, whether or not the user is in a certain role, and therefore, whether or not they have access to a particular resource?
  2. What happened to the concept of permissions? Is it assumed that if the user is in the required role that they have permission to execute the servlet/JSP?
  3. Does it make sense to talk about ACLs anymore? A checkPermissions() method on an Acl object doesn't make sense now. Instead am I to use isUserInRole() ? (This doesn't seem the same to me - asking if User A has execute permission on this resource is different than asking if User A is in the CSR role.)
  Your response is appreciated.

• Sales hierarchy . role based reports and Data access, Best practice and sol

  Dear all,
  Currently working on a solution for Sales. There a geography and sales position hierarchy.
  e.g. (USA,EU,ASIA) --> EU head -->UK head -->Northern UK head -->London head -->East london--> Postal codes in east london.
  so altogether 7 roles and 7 positions, all these users can see data at it's level and below.
  Also the summary report/ Prompts/ subject area columns for each of these users must be at their corresponding level and just 1 level below.
  e.g. EU head by default must see column EU and country UK, UK head will see report only for UK and Northern UK region and so on.
  After lots of thinking i am planing to take approach of creating 6 sets of similar dashboard/ different prompts/ different global filters/ reports.
  Data level access is not at all issue i am easily able to manage.
  Request experts to guide is there is any other better approach to take for objects in catalog.?
  many thanks in advance.
  Regards,
  Yogen

  Dear Srini,
  Data level Security is not at all issue for me. Have already implement it and so far not a single bug in testing is caught.
  It's about object level security and that too for 6 different types of user demanding different reports i.e. columns and detailed drill downs are different.
  Again these 6 types of users can be read only users or power users (who can do ad hoc analysis) may be BICONSUMER and BIAUTHOR.
  so need help regarding that...as we have to take decision soon.
  thanks,
  Yogen

• Reseeding cache for users with role based security

  I have role based security and trying to set up cache by purging all cache and later seeding cache by query. The query would be different for different users. What is the best way to purge all cache and reseed cache for administrator as well as all users. The EPT would purge cache based on updated tables. But how do I next go about reseeding cache for better performance to all the users. Thanks.

  I have created an ibot with the following:
  General - Normal Priority, Personalized (recipient's data visibility)
  Conditional Request - example_report
  Schedule - some schedule
  Recipients - Me(administrator) and User1
  Destinations - Oracle BI Server cache
  when the ibot runs 2 cache entries are created (for the 2 recipients).
  I have the report (example_report) on the dashboard (1 dashboard, 1 page, 1 report).
  After the ibot runs:
  When the administrator logs in first, there is a cache hit on the report. Followed by when the User1 logs in there is NO cache hit.
  On the other hand when the User1 logs in first, there is a cache hit on the report. Followed by when the administrator logs in there is no cache hit. The query log creates a Query issued to the database instead of cache hit on query.
  The User1 has a data level security.
  Please let me know where was I making an error in setting the ibot and how to get the cache seeding work for the different users with different role based security.
  Thanks for your inputs.

• Public/Role Based Lists

  Do you know if/how it is possible to create a new role based list and assign that list to multiple roles (keeping the same/identical name)?
  For example I want to create a list named Open Opportuntiies. I want to use slightly different criteria and create the same named list for just roles 2 and 3 ... and assign the original one to role 1 only. Can this be done? Seems that the list name must be unique. Is that true?

  Hi,
  Yes the list name has to be unique. You'll need to create different list names here
  Thanks
  Oli @ Innoveer

• Pre-populate adapters behaviour during role based provisioning

  Hi all,
  I have a question about pre-populate adapters behaviour during role based provisioning.
  I'll sortly describe our architecture: we have OIM 11.1.1.3, Active Direcotry connector and obviously Active Directory as target system.
  Our scenario is: assigning a role to a user , OIM should provision two account for this user to the same target system but in two different organizational unit (Active Directory).
  Here some sample information to better understand our request:
  - OIM User userID: userid1
  - Active Directory IT Resource: ADServer1
  - Active Directory Organizational Units: OU1 and OU2
  - Role: Example Role
  - UserID of the account provisioned in OU1: admin.userid1 (in this organizational unit the UserID is composted by a prefix "admin." and the OIM User UserID "user1")
  - UserID of the account provisioned in OU2: user.userid1 (in this organizational unit the UserID is composted by a prefix "user." and the OIM User UserID "user1")
  To achieve this goal, we have created two access policies AP1 and AP2. The first access policy provision the user account in OU1; while the second one in OU2.
  Here some access policies form details:
  ### AP1 ###
  - AD Server: ADServer1
  - Organization Name: OU1
  (other fields are empty)
  ### AP2 ###
  - AD Server: ADServer1
  - Organization Name: OU2
  (other fields are empty)
  Our idea was to develope two pre-populate adapter: one to compose the userID with "admin." prefix and the other one to compose userID with "user." prefix. However this solution cannot work because obviously you can link only one pre-populate adapter to a resource form field.
  Any suggestion to avoid to create a second resource form?
  Thank in advise,
  Daniele

  Hi,
  probably your confusion is caused by my english....anyway....
  I'm trying to generate two userids and in our scenario it's simple map the organizational units. For example userids in organizational units OU1 have "admin." prefix; while organizational units OU2 have "user." prefix.
  Do you suggest to create a pre-populate adapter that use a lookup to set the correct prefix based on organizational unit name?
  Thank you
  Daniele

• OIM 11g r2  User  UDF fields  Updation based on AD ID

  Hi,
  We have to update the UDF fields created for the users in OIM using the data from a table.
  This table contains the AD ID, and other fields.
  OIM User (already available) will be updated based on AD ID ….i;e AD ID column will be used to find the user in OIM and then his UDF will be updated based on the respective data from other columns in the table .
  Please can you help me on this task?
  Thanks,

  Your requirement doesn't tell much like when you want to update your user. If it would be on daily basis then go for Schedule Task, if you want to at the time of provisioning then you can have one task and attach your code to bring AD ID in OIM..
  You may leverage Event Handlers as well if your use case requires that.

• Renumbering with ACL-Friendly Role-Based Addressing or...?

  We are a mid-sized manufacturing firm operating out of three locations and we are in the process of making plans to restructure and renumber our networks so as to better facilitate automated configuration management and security, in addition to easing our deployment of IPv6.  Currently, at each site the L3/L2 boundary resides at the network core, but increasing traffic/chatter has us considering moving the L3/L2 boundary to the access layer(s), which consist of 3560-X units in the wiring closets that are supporting edge devices either directly or via 8-port 3560-C compact switches in the further reaches of our manufacturing and warehouse spaces.
  As we contemplate moving to a completely routed network, the big unknown we're struggling with is whether or not it is safe or even desirable to abandon ACL-friendly addressing, and whether, in doing so, we can expect to run into hardware limitations resulting from longer ACLs.
  Currently, each of our site-wide VLANs gets a subnet of the form 10.x.y.0/24, where x identifies the site and y identifies the class of equipment connected to said VLAN.  This allows us to match internal traffic of a given type with just a single ACE, irrespective of where the end-point device resides geographically.  Moving L3 routing decisions out to the access switches will require that we adopt smaller prefix assignments, with as many as 8 distinct subnets on each of our standard-issue 3560CG-8PC compact switches.  Why so many, you ask?  We currently have more than 30 ACL-relevant classifications of devices/hosts - a number that will only grow with time, and to maximize the availability of all services, it is our policy to physically distribute edge devices of a given class (eg. printers, access points, etc) over as many access switches as possible.
  From what I can see, we have three options, each of which present trade-offs in terms of management complexity and address utilization efficiency: 
  Option 1: Stick with ACL-friendly addressing, both for IPv4 and IPv6, and allocate uniform prefixes to each access switch.  For IPv4, within the 10.0.0.0/8 block we would probably allocate 8 bits to the site ID (/16), followed by 6 bits as the switch ID (/22), and 7 bits to identify the equipment/host classification (/29), for a maximum of 5 available addresses for a given class of devices on a given access switch.  For IPv6, assuming we have a /48 block for each site, we would use the first two bits to identify the type of allocation, the following 6 as the switch ID (/56), and the following 8 as the equipment/host classification (/64).
  Option 2: Abandon ACL-friendly addressing and dynamically allocate standard-sized prefixes from a common pool to each VLAN on a given switch.  The advantages of this approach are increased utilization efficiency and more addresses available within each VLAN, but it comes at the cost of non-summarizable routing tables and ACLs, and even if the hardware can handle this, it means we're talking about a more complex configuration management system and less ease in troubleshooting problems.
  Option 3: Do something similar to option 1, but with the L2/L3 boundary positioned at the distribution layer rather than the access layer.  I'm disinclined to go this route, as it seems to require the same, if not more, management complexity than we'll encounter with option 1, with only marginal benefits over keeping things the way they are currently (L2/L3 boundary at the network core).
  Thoughts?  What issues have we neglected to consider?  No matter which approach we select, it shall be assumed that we will be building a system to track all of these prefix assignments, provision switches, and manage their configurations.  From a standpoint of routing protocols, we would probably be looking at OSPFv2/v3.  It can also be assumed that if we encounter legacy devices requiring direct L2 connectivity to one another that we already have ways of bridging their traffic using external devices, so as far as this discussion is concerned, they aren't an issue.
  Thanks in advance for your ideas!
  -Aaron

  Hi David,
  Permissions based on GUI components is a simple & neat idea. But is it rugged? Really secure? It might fall short of Grady Booch's idea of Responsibilities of objects. Also that your Roles and Access components are coupled well with Views!!!!!!!
  My suggestion regarding the Management Beans is only to do with the dynamic modification which our discussion was giong forward.
  If we go back to our fundamental objective of implementing a Role based access control,let me put some basic questions.
  We have taken the roles data from a static XML file during the start up of the container. The Roles or Access are wanted to be changed dynamically during the running of the container. You would scrutinize the changes of Roles and access before permission during the case of dynamic modification.
  Do you want this change to happen only for that particular session? Don't you want these changes to persist??? When the container is restarted, don't you want the changes to stay back?
  If the answer to the above is YES(yes I want to persist changes), how about doing a write operation(update role/access) of the XML file and continue your operation? After all, you can get the request to a web or session bean and keep going.
  If the answer to the above is NO(no, i don't want to persist), you can still get the change role request to a web or session bean and keep going.
  Either way, there is going to be an intense scrutiny of the operator before giving her permissions!!!
  One hurdle could be that how to get all neighbouring servers know about the changes in roles and access??? An MBean or App Server API could help you in this.
  May I request all who see this direction to pour in more comments/ideas ? I would like to hear from David, duffymo, komone and jschell.
  Rajesh

• Role Based FireFighter

  Greetings All,
  We are doing SAP GRC Access Control implementation in our company. We have Modulewise Master Roles working as firefighter Roles. In emergency we assign it to a user for 24 hours. Now when we are implementing FireFighter we want to keep existing Role Model but use the funcationality of FF. Have anyone gone through this scenario, do let me know the steps we need to configure the existing model with new FF Model and AE.
  Thanks in advance,
  Regards,
  Sabita Das

  Try Firefighter roles instead of Firefighter users.
  FF access via role assignments can be approved and provisioned in Access Enforcer (AE). Firefighter access can also be removed via Access Enforcer by submitting a request to remove the firefighter roles. FF access approvals are captured in the AE audit trail. The business reason for requesting/approving the access can also be captured in the comment section of AE.
  FF access could be granted only after appropriate approvals EVERY time a user needs FF access. Each time a request for the FF role through AE (the request could go through a separate workflow path) and the request will be approved before being provisioned to the user. The approver can change the validity dates on the role assignment so that it can be provisioned for one day, for a week, a month, etc... An audit trail in AE will provide the approver information for historical purposes. This meets the policy of approvals every time FF access is provided instead of the 24/7 master data set-up in the original Firefighter process.
  When running an SOD risk analysis on the user, the report will show the SODs the user has including their Firefighter access. (These SODs would then be mitigated per user even though they are a Firefighter.) There is a risk to the company when a firefighter can do one half of the risk on their own user ID and the second half of the risk on their Firefighter ID. Although this could still be caught, it would take some manual analysis. By using role-based Firefighter, all activities are performed and recorded under the user's normal user ID.
  The Firefighter does not need to "check-out" a Firefighter ID the access is on their normal user ID.
  The standard SAP audit trails have the user IDs instead of the firefighter IDs, so when researching the change, the firefighter logs don't need to be analyzed to see which user had used that Firefighter ID at that time.

• Role based oracle adf security and filtering data

  while oracle adf security looks great its only role based... does anyone know of any resources describing an architecture where this is used in addition to filtering of data based on say, organization?
  it seems that oracle adf security is not really geared towards a self service app where administrative users have a security interface as part of the application where they can assign roles and associate users to entities for the further filtering of data...

  Hi,
  it seems that oracle adf security is not really geared towards a self service app where administrative users have a security interface as part of the application where they can assign roles and associate users to entities for the further filtering of data...
  ADF Security is a JAAS based security implementation to protect resources (like entities). It is nota security provider like OPSS or OID which you can use for user provisioning and self service (if you code against the IDM APIs). ADF Security only checks for whether a user is authenticated and if the user has the permission to perform a task.
  However, you can use groovy to access the security context from Groovy, which allows you to add the authenticated username to a query - for example to filter recrds out that match the username in one of its attributes.
  For example, you could create a ViewCriteria that for example filters the query by a specific attribute. Say that managers can see data starting from department 10 whereas employees can see data starting from department 100. The ViewCriteria would reference a bind variable with the following default setting
  adf.context.securityContext.isUserInRole('manager')? 10 : 100
  Frank

• Why Role based Firefighter

  Hello Folks,
  What is the difference between Role based and Firefighter Id based Firefighting from an organization point of view.
  The general practice is to go with Firefighter ID but I want to know a situation when Firefighter Role based strategy can be an advantage over the other.
  In the user guide it is not mentioned when and why Role based Firefighter should be used.
  Thanks in advance,
  Amol Bharti

  FF access via role assignments can be approved and provisioned in Access Enforcer (AE). Firefighter access can also be removed via Access Enforcer by submitting a request to remove the firefighter roles. FF access approvals are captured in the AE audit trail. The business reason for requesting/approving the access can also be captured in the comment section of AE.
  FF access could be granted only after appropriate approvals EVERY time a user needs FF access. Each time a request for the FF role through AE (the request could go through a separate workflow path) and the request will be approved before being provisioned to the user. The approver can change the validity dates on the role assignment so that it can be provisioned for one day, for a week, a month, etc... An audit trail in AE will provide the approver information for historical purposes. This meets the policy of approvals every time FF access is provided instead of the 24/7 master data set-up in the original Firefighter process.
  When running an SOD risk analysis on the user, the report will show the SODs the user has including their Firefighter access. (These SODs would then be mitigated per user even though they are a Firefighter.) There is a risk to the company when a firefighter can do one half of the risk on their own user ID and the second half of the risk on their Firefighter ID. Although this could still be caught, it would take some manual analysis. By using role-based Firefighter, all activities are performed and recorded under the user's normal user ID.
  The Firefighter does not need to "check-out" a Firefighter ID the access is on their normal user ID.
  The standard SAP audit trails have the user IDs instead of the firefighter IDs, so when researching the change, the firefighter logs don't need to be analyzed to see which user had used that Firefighter ID at that time.

• Privileges and Roles Based Views

  Hello,
  I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great.  I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view.  I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
  Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!!  fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
  How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
  I hope someone can help with the config:
  Below is the config I use on the 2960's and 3750's and also what I use on the radius servers.  I guess I would need ot use a priv 15 setup and a custom view called priv3?
  Priv3 radius user settings
  cisco av-pair cli-view-name=priv3
  Priv 15 or root user settings
  cisco av-pair shell:priv-lvl=15
  cisco av-pair shell:cli-view-name=root
  Config:
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname 3750
  boot-start-marker
  boot-end-marker
  logging buffered 64000
  logging console informational
  logging monitor informational
  enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
  username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
  username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication enable default line
  aaa authorization console
  aaa authorization exec default group radius local
  aaa session-id common
  clock timezone GMT 0
  clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
  switch 1 provision ws-c3750g-12s
  switch 2 provision ws-c3750g-12s
  system mtu routing 1500
  udld aggressive
  no ip domain-lookup
  ip domain-name CB-DI
  login on-failure log
  login on-success log
  crypto pki trustpoint TP-self-signed-3817403392
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3817403392
  revocation-check none
  rsakeypair TP-self-signed-3817403392
  crypto pki certificate chain TP-self-signed-3817403392
  certificate self-signed 01
    removed
    quit
  archive
  log config
    logging enable
    logging size 200
    notify syslog contenttype plaintext
    hidekeys
  spanning-tree mode rapid-pvst
  spanning-tree extend system-id
  spanning-tree vlan 10 priority 8192
  vlan internal allocation policy ascending
  ip ssh version 2
  interface GigabitEthernet1/0/1
  interface GigabitEthernet1/0/24
  interface Vlan1
  description ***Default VLAN not to be used***
  no ip address
  no ip route-cache
  no ip mroute-cache
  shutdown
  interface Vlan10
  description ****
  ip address 10.10.150.11 255.255.255.0
  no ip route-cache
  no ip mroute-cache
  ip default-gateway 10.10.150.1
  ip classless
  no ip http server
  ip http secure-server
  logging trap notifications
  logging facility local4
  logging source-interface Vlan10
  logging 10.10.21.8
  logging 172.23.1.3
  access-list 23 permit 10.10.1.65
  snmp-server community transm1t! RO
  snmp-server trap-source Vlan10
  radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
  radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
  radius-server vsa send accounting
  radius-server vsa send authentication
  line con 0
  exec-timeout 60 0
  logging synchronous
  line vty 0 4
  access-class 23 in
  exec-timeout 60 0
  logging synchronous
  transport input ssh
  line vty 5 14
  access-class 23 in
  no exec
  transport input ssh
  parser view priv3
  secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
  ! Last configuration change at 16:34:56 BST Fri Apr 13 2012
  commands interface include shutdown
  commands interface include no shutdown
  commands interface include no
  commands configure include interface
  commands exec include configure terminal
  commands exec include configure
  commands exec include show ip interface brief
  commands exec include show ip interface
  commands exec include show ip
  commands exec include show arp
  commands exec include show privilege
  commands exec include show interfaces status
  commands exec include show interfaces Vlan10 status
  commands exec include show interfaces Vlan1 status
  commands exec include show interfaces GigabitEthernet2/0/12 status
  commands exec include show interfaces GigabitEthernet2/0/11 status
  commands exec include show interfaces GigabitEthernet2/0/10 status
  commands exec include show interfaces GigabitEthernet2/0/9 status
  commands exec include show interfaces GigabitEthernet2/0/8 status
  commands exec include show interfaces GigabitEthernet2/0/7 status
  commands exec include show interfaces GigabitEthernet2/0/6 status
  commands exec include show interfaces GigabitEthernet2/0/5 status
  commands exec include show interfaces GigabitEthernet2/0/4 status
  commands exec include show interfaces GigabitEthernet2/0/3 status
  commands exec include show interfaces GigabitEthernet2/0/2 status
  commands exec include show interfaces GigabitEthernet2/0/1 status
  commands exec include show interfaces GigabitEthernet1/0/12 status
  commands exec include show interfaces GigabitEthernet1/0/11 status
  commands exec include show interfaces GigabitEthernet1/0/10 status
  commands exec include show interfaces GigabitEthernet1/0/9 status
  commands exec include show interfaces GigabitEthernet1/0/8 status
  commands exec include show interfaces GigabitEthernet1/0/7 status
  commands exec include show interfaces GigabitEthernet1/0/6 status
  commands exec include show interfaces GigabitEthernet1/0/5 status
  commands exec include show interfaces GigabitEthernet1/0/4 status
  commands exec include show interfaces GigabitEthernet1/0/3 status
  commands exec include show interfaces GigabitEthernet1/0/2 status
  commands exec include show interfaces GigabitEthernet1/0/1 status
  commands exec include show interfaces Null0 status
  commands exec include show interfaces
  commands exec include show configuration
  commands exec include show
  commands configure include interface GigabitEthernet1/0/1
  commands configure include interface GigabitEthernet1/0/2
  commands configure include interface GigabitEthernet1/0/3
  commands configure include interface GigabitEthernet1/0/4
  commands configure include interface GigabitEthernet1/0/5
  commands configure include interface GigabitEthernet1/0/6
  commands configure include interface GigabitEthernet1/0/7
  commands configure include interface GigabitEthernet1/0/8
  commands configure include interface GigabitEthernet1/0/9
  commands configure include interface GigabitEthernet1/0/10
  commands configure include interface GigabitEthernet1/0/11
  commands configure include interface GigabitEthernet1/0/12
  commands configure include interface GigabitEthernet2/0/1
  commands configure include interface GigabitEthernet2/0/2
  commands configure include interface GigabitEthernet2/0/3
  commands configure include interface GigabitEthernet2/0/4
  commands configure include interface GigabitEthernet2/0/5
  commands configure include interface GigabitEthernet2/0/6
  commands configure include interface GigabitEthernet2/0/7
  commands configure include interface GigabitEthernet2/0/8
  commands configure include interface GigabitEthernet2/0/9
  commands configure include interface GigabitEthernet2/0/10
  commands configure include interface GigabitEthernet2/0/11
  commands configure include interface GigabitEthernet2/0/12
  ntp logging
  ntp clock-period 36028961
  ntp server 10.10.1.33
  ntp server 10.10.1.34
  end
  Thanks!!!!

  DBelt --
  Hopefully this example suffices.
  Setup
  SQL> CREATE USER test IDENTIFIED BY test;
  User created.
  SQL> GRANT CREATE SESSION TO test;
  Grant succeeded.
  SQL> GRANT CREATE PROCEDURE TO test;
  Grant succeeded.
  SQL> CREATE ROLE test_role;
  Role created.
  SQL> GRANT CREATE SEQUENCE TO test_role;
  Grant succeeded.
  SQL> GRANT test_role TO test;
  logged on as Test
  SQL> CREATE OR REPLACE PACKAGE definer_rights_test
    2  AS
    3          PROCEDURE test_sequence;
    4  END definer_rights_test;
    5  /
  Package created.
  SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
    2  AS
    3          PROCEDURE test_sequence
    4          AS
    5          BEGIN
    6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
    7          END;
    8  END definer_rights_test;
    9  /
  Package body created.
  SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
    2  AUTHID CURRENT_USER
    3  AS
    4          PROCEDURE test_sequence;
    5  END invoker_rights_test;
    6  /
  Package created.
  SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
    2  AS
    3          PROCEDURE test_sequence
    4          AS
    5          BEGIN
    6                  EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
    7          END;
    8  END invoker_rights_test;
    9  /
  Package body created.
  SQL> EXEC definer_rights_test.test_sequence;
  BEGIN definer_rights_test.test_sequence; END;
  ERROR at line 1:
  ORA-01031: insufficient privileges
  ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
  ORA-06512: at line 1
  SQL> EXEC invoker_rights_test.test_sequence;
  PL/SQL procedure successfully completed.
  SQL> SELECT test_seq.NEXTVAL from dual;
               NEXTVAL
                     1

• OIM 9.1 AD Account Provisioning

  Has anyone ran into the scenario where you go to provision an AD account and the process fails because the account already exist on the target which results in the resource status remaining as "provisioning". I expected that status to change to "provisioned" once a recon was ran which would link the account to the OIM user but it didn't. The recon linked the account but from the user's resource profile you can see that it didn't.

  first of all when the account with the same id is found on Ad, it may necessarily not be that of the user unless you have ascertained that. If you want the adapter to return a success what you should have done is mapping the user_already exists retrun code to C for completed instead of an R for rejected, which is why the resource is going into a provisioning status.
  BTW does your create user task or whatever task last gets executed before the provisioning is deemed as complete have the task to object status mapping set to C=Provisioned?
  What you will need to do is, revoke the AD resource from the user's resource profile list and then run the recon, the account should now be linked to the user if the owner matching rules match up to the identity in oim.

• To run OHS at port 80 using solaris role based access control

  Hi.
  I already know & have done setuid root to ohs/bin/.apachectl to allow ohs to listen to port 80. Now on a new OFM 11.1.1.4 install, I want to use Solaris Role Based Access Control (RBAC) instead. Is it possible? RBAC does work as I can run a home built apache2 httpd at port 80 withOUT suid root.
  On Solaris 10, I enabled oracle uid to run process below port 1024 using RBAC
  /etc/user_attr:
  oracle::::type=normal;defaultpriv=basic,net_privaddr
  Change OHS httpd.conf Listen from port 8888 to port 80.
  However, opmnctl startproc process-type=OHS
  failed as below with nothing showing in the diag logs:
  opmnctl startproc: starting opmn managed processes...
  ================================================================================
  opmn id=truffle:6701
  0 of 1 processes started.
  ias-instance id=asinst_1
  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  ias-component/process-type/process-set:
  ohs1/OHS/OHS/
  Error
  --> Process (index=1,uid=187636255,pid=25563)
  failed to start a managed process after the maximum retry limit
  Thx,
  Ken

  Just to add my two cents here.
  The commando used on Solaris to assign the right privilege to bind TCP ports < 1024 is:
  # usermod -K defaultpriv=basic,*net_privaddr* <your_user_name>
  Restart the opmnctl daemond.
  After that OHS/Apache user can bind to lower TCP ports.
  Regards.
  Edited by: Tuelho on Oct 9, 2012 6:05 AM

• Error while provisioning roles (SetABAPRole&ProfileForUser)

  Hi Experts
  While provisioning roles in IDM 7.2, I see this error in the Job logs:
  Failed running function in string "$FUNCTION.sap_abap_getNameOfAssignedPendingPrivileges(mskey!!repname!!role!!true)$$". Marking entry as failed. Exception was: undefined: "sap_abap_convertToABAPValidFromDate" is not defined.
  I am getting this error only if I provision the existing SAP users. Assigning any role to a new user works fine. Went through both the above mentioned scripts, but don't see any Problem there.
  What am I missing here?
  Best regards
  Annapurna

  Hi Annapurna,
  I was just going through the setup in our landscape and noticed that we have only one script for Assign User Membership to ABAP which is "sap_abap_getNameOfAssignedPendingPrivileges"
  As mentioned by Jai earlier, we have the same script as Jai.
  Can you try by using the below script for "sap_abap_getNameOfAssignedPendingPrivileges" and delete the other two and try to execute?
  Not sure, if this could work, but maybe can give a try.
  Script below:
  ===============================================
  // Main function: sap_abap_getNameOfAssignedPendingPrivileges
  * Returns a list of all privileges with properties {validfrom, validto} of the
  * passed user for the passed repository and the passed privilege type.
  * It contains all already assigned privileges plus/minus the delta of the
  * current pending added and/or removed privileges.
  * Note: Needed by connectors that always send the complete list of privileges
  *       to the backend, e.g. ABAP, BusinessSuite, JAVA
  * @param {Par} Format:
  * MSKEY of user!!repository name!!privilege type<!!includeValidityProperty>
  *              e.g. 172645!!BQQ001!!PROFILE!!TRUE
  * @return {String} List of Privilege (backend) names in format:
  * if includeValidityProperty is defined as true, then
  * {VALIDFROM=<date>!!VALIDTO=<date>}<priv>|{VALIDFROM=<date>!!VALIDTO=<date>}<priv>|{VALIDFROM=<date>!!VALIDTO=<date>}<priv>
  * else
  * <priv>|<priv>|<priv>
  function sap_abap_getNameOfAssignedPendingPrivileges(Par) {
  importClass(java.lang.StringBuffer);
  // enable this flag (tracingEnabled) only for debugging purposes as this will impact the performance
  var tracingEnabled = false;
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: is called with " + Par);
  var parameters = Par.split("!!"); 
  var mskey = parameters[0];
  var repositoryName = parameters[1];
  var privilegeType = parameters[2];
  var addValidityProperty = false;
  if (parameters.length > 3 && parameters[3] != null && parameters[3].toLowerCase() == "true") {
  addValidityProperty = true;
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: mskey: " + mskey);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: repositoryName: " + repositoryName);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: privilegeType: " + privilegeType);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: addValidityProperty: " + addValidityProperty);
  var nolock = "";
  if("%$ddm.databasetype%" == 1) { //MS-SQL
  nolock = "WITH (NOLOCK)";
  if (tracingEnabled) {
  sap_debug_logUserAssignments(mskey);
  * - get only assignments (mcLinkType = 2)
  * - get all assignments of current entry X (mcLinkState = 0, mcExecState = 1 & mcDisabled = 0)
  * - and with assignments in state "pending add" (mcLinkState = 1 & mcExecState = 512 or 513,
  mcDisabled can be 1 e.g. if the user gets reactivated)
  * - assignments with mcExecState 2 (Rejected) and 4 (Failed) are not included. If a failed
  * assignment gets retried, the state changes immediately to pending.
  * - for specfified repository Y
  * - and privilege type Z
  * - add member task must have been running for the privilege (mcAddAudit IS NOT NULL)
  -> no future assignments
  -> no assignments for which an approval will be done but approval task is not yet running
  * - no privileges for which an approval is needed/running
  * mcValidateAddAudit < mcAddAudit <- approval is already done
  * or mcValidateAddAudit IS NULL <- if no approval is necessary
  * - no duplicate privilege names (-> SELECT DISTINCT) in case of contexts
  var sql = "SELECT DISTINCT privilegename.mcMSKEYVALUE, assignment.mcValidFrom, assignment.mcValidTo \
  FROM idmv_value_basic_all repositorynames " + nolock + " \
  INNER JOIN idmv_value_basic_all privilegetype " + nolock + " ON privilegetype.mskey = repositorynames.mskey \
  INNER JOIN idmv_entry_simple privilegename " + nolock + " ON privilegename.mcMSKEY = repositorynames.mskey \
  INNER JOIN mxi_link assignment " + nolock + " ON assignment.mcOtherMskey = repositorynames.mskey \
  WHERE assignment.mcThisMskey = " + mskey + " \
  AND assignment.mcLinkType = 2 \
  AND (\
  (assignment.mcLinkState = 0 AND assignment.mcExecState = 1 AND assignment.mcDisabled = 0) \
  OR (\
  assignment.mcLinkState = 1 AND assignment.mcExecState  IN (512,513) \
  AND ( \
  (assignment.mcAddAudit > assignment.mcValidateAddAudit) \
  OR \
  (assignment.mcAddAudit IS NOT NULL AND assignment.mcValidateAddAudit IS NULL) \
  AND repositorynames.attrname = 'MX_REPOSITORYNAME' AND repositorynames.SearchValue = '" + repositoryName + "' \
  AND privilegetype.attrname = 'MX_PRIVILEGE_TYPE'  AND privilegetype.SearchValue = '" + privilegeType + "'";
  //result looks like privMskeyValue!!privMskeyValue!!privMskeyValue
  var result = uSelect(sql);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: SQL Query:\n" + sql);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Result: " + result);
  var allPrivsStringBuf = new StringBuffer();
  var firstElement = true;
  if (result != null && result != "") {
  var resultArray = result.split("!!");
  for (var i = 0; i < resultArray.length; i++) {
  var columns = resultArray[i];
  var columnArray = columns.split("|");
  //privMskeyValue is like PRIV:<type>:<repository>:<privilegeName>
  var privMskeyValue = columnArray[0];
  var repTemp = privMskeyValue.split(":");
  var repstring = repTemp[0] + ":" + repTemp[1] + ":" + repTemp[2] + ":";
  var privName = uReplaceString(privMskeyValue, repstring, "");
  if (!firstElement) {
  allPrivsStringBuf.append("|");
  if (addValidityProperty) {
  var validfrom = columnArray[1];
  var validto = columnArray[2];
  allPrivsStringBuf.append("{VALIDFROM=");
  allPrivsStringBuf.append(validfrom);
  allPrivsStringBuf.append("!!VALIDTO=");
  allPrivsStringBuf.append(validto);
  allPrivsStringBuf.append("}");
  allPrivsStringBuf.append(privName);
  firstElement = false;
  var allPrivs = String(allPrivsStringBuf); // must be casted explicitly to String
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Calculated privileges for " + Par + " are: " + allPrivs);
  return allPrivs;
  * Prints out all assignments the user has (also all assignments in pending remove state etc.)
  function sap_debug_logUserAssignments(mskey) {
  var columns = "mcUniqueId, mcThisMSKEY, mcOtherMSKEY, mcAttrName, mcThisOcName, mcOtherOcName, mcThisMSKEYVALUE, mcOtherMSKEYVALUE, mcLinkState, mcAssignedDirect, mcAssignedInheritCount, mcExecState, mcExecStateHierarchy, mcChangeNumber, mcGroupGuid, mcLastAudit, mcAddedTime, mcModifyTime, mcValidateAddAudit, mcAddAudit, mcContextMSKEY, mcContextCategory, mcContextStr1, mcContextStr2, mcOrphan, mcSoDViolation, mcNotAllowedFor, mcUnsupportedContextType, mcMissingConditionalContext, mcDisabled, mcRequestID";
  var debugSql = "SELECT " + columns + " FROM idmv_link_ext WHERE mcThisMskey = " + mskey + " ORDER BY mcUniqueId";
  var debugResult = uSelect(debugSql);
  //format output
  debugResult = uReplaceString(debugResult, "!!", "\n");
  debugResult = uReplaceString(debugResult, "\|", "\t");
  columns = uReplaceString(columns, ", ", "\t");
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Debug SQL Query:\n" + debugSql);
  uInfo("sap_abap_getNameOfAssignedPendingPrivileges:: Debug Result:\n" + columns + "\n" + debugResult);
  Thanks & Regards,
  V!