OIM 11g - Authorization Policy

Hi,
I am facing issue in OIM 11g Authorization policy configuration. I am using OIM 11.1.1.5 Version.
I have Created a OU --> Sample Helpdesk OU. Under this OU, i have created a user --> Sample Helpdesk user.
I have created a role --> Sample Helpdesk Role and assigned this role to the user --> Sample Helpdesk user.
I have created a Auth Policy --> "HelpDesk Create User - HelpDesk OU" which has to allow the user --> Sample Helpdesk user, to create a new users under the organization "Sample Helpdesk OU".
During creation of User in OIM, i am not able to search the Organization in the lookup field. I am getting Zero records for the search. I used all type of filters to search the OU in the OIM User Form.
Thanks,
Sandy.
Edited by: Sandy on Dec 6, 2011 9:24 PM
Edited by: Sandy on Dec 6, 2011 9:25 PM

Hi,
Make Helpdesk Role created above as administrative role of OU.
Regards,
Raghav.

Similar Messages

  • OIM 11g authorization policy issue

    Hi ALL,
    We have created one authorization policy.
    which will give the following permissions for the users.
    1.search users
    2.view user details
    3.Modify a single attribute in user profile
    it has been assigned to a role.
    Now we assigned this role to a user and he is able to search the users and view the details but he is able able to edit all the attributes besides the specified one. Please let me know where iam going wrong.

    In the Modify User, check for which all attributes are selected...if all are selected, then just select only one which you require.
    J

  • OIm 11g: Access policy issue

    Hi All
    We are using OIm 11.1.1.5.0, Weblogic 10.3.5 and Oracle DB EE 11.2.0.2
    We have defined role "CommonUsers" and assigned access policies with "AD and Exchange" resources. Exchange is dependent resource on AD. Then We have excuted PSFT feed file to load users into OIm and will assign the role to Users based on conditions performed by custom adapters, Here "CommonUsers" role is getting assigned to users, but both resources are not assigned to the users. For some of the users "AD" assigned but not Exchnage, and some of the users both resources are not assigned. Few of the users both resources assigned.
    Can you please suggest, why OIM is not assigning the two resources to users, with the role assignment? And why its performing in that way?
    Thanks.

    I have done 4 users reconciled, role was assigned to them(4 users) but for 2 users, oim did not intiate Resource Provisioing. When I manually assign role to any user, some times its not intialting Resoirce Provisioning task. There is no log information for this situation.
    Thanks.

  • Regarding Authorization policy and Roles in OIM 11g

    Hi,
    In OIM 11g Admin interface, is there a way to find out what all authorization polices, a role has been assigned to ?.
    I am asking this because, if you search for a user, you will know what all roles he is a member of, and similarly if you search for a role, you will know who all users are members of that role.
    Similarly, if you search for a Authorization policy, you will know what are roles are assigned to this policy. But if I search for a role, I am not able to find what all authorization policies has been assigned to this role.
    Looking forward to hearing from you,
    Many thanks in advance

    I understand your concern. But, this feature has not been available
    --nayan                                                                                                                                                                                   

  • How to create Authorization policy using OIM 11g API

    Hi,
    Could you please let me know how to create Authorization policy using OIM 11g API.
    Thanks

    Constructing A Policy Programmatically
    http://docs.oracle.com/cd/E27559_01/dev.1112/e27154/cons_policy_prog.htm#CHDHACBF
    api ref for PolicyStore
    http://docs.oracle.com/cd/E21764_01/apirefs.1111/e22649/oracle/security/jps/service/policystore/PolicyStore.html#createApplicationPolicy_java_lang_String_
    something like below code to start with
    try {
    JpsContextFactory ctxFact;
    ctxFact = JpsContextFactory.getContextFactory();
    JpsContext ctx;
    ctx = ctxFact.getContext();
    PolicyStore ps = ctx.getServiceInstance(PolicyStore.class);
    if (ps == null) {
    // if no policy store instance configured in jps-config.xml
    System.out.println("no policy store instance configured");
    return;
    ApplicationPolicy ap = ps.createApplicationPolicy("Trading", "Trading
    Application","Trading Application.");
    } catch (JpsException e) {
    }

  • OIM 11g - User Management Authorization policy issues

    Hello,
    1) Created an organization -> Human Resource
    2) Created an Role -> HR_Admins
    3) Assigned HR_Admins roles as administrative role of Human Resource organization
    4) Created user1 with organization as Human Resource & Assigned HR_Admins role to this user.
    5) Created authorization policy for user management with following selections
    Permission -> Create User.
    Data Constraints -> Selected "Users that are members of selected Organizations" & selected above Human Resource organization.
    Assignment -> HR_Admins role .
    now when i log into user1 i am not able to see Administration tab where i can select Create user.
    I am working on this issue for couple of days ,but not able to find the solution & have i missed some configurations ?
    Thank-You
    Rahul Shah

    Hi Rahul,
    I have tested your scenarion.. with below clause
    1) Created an organization -> Human Resource
    2) Created an Role -> HR_Admins
    3) Assigned HR_Admins roles as administrative role of Human Resource organization
    4) Created user1 with organization as Human Resource & Assigned HR_Admins role to this user. : default role All Users
    5) Created authorization policy for user management with following selections
    Permission -> Create User. :- *"Select ALL"*
    Data Constraints -> Selected "Users that are members of selected Organizations" & selected above Human Resource organization.
    Assignment -> HR_Admins role .
    In data constraints
    Organization Security Setting     Hierarchy Aware (include all Child Organizations)
    Now I am able to see the create user tab and, I can create user in Human Resource org only.
    If it doesn't work for you. Just assign "REQUEST ADMINISTRATOR" IN AUTH POLICY. Test the result.
    Also what is your OIM version?
    Test it with fresh data like new role name, org and user,
    -kuldeep
    Edited by: Kuldeep on May 22, 2012 4:19 AM

  • Error while creating authorisation policy using OIM 11g API

    Hi,
    We have a requirement to create ‘Authorization Policies’ (assign Data Constraints, Permissions & Assignments) using OIM 11g API’s.  I am using ‘oracle.iam.authzpolicydefn.api.PolicyDefinitionService & oracle.iam.authzpolicydefn.vo.AuthzPolicy’.  But when I am trying to attach Entity/Feature (User Management) to authorisation policy, it is throwing exception.  Below is the code snippet which I am trying to implement.
    Line1: PolicyDefinitionService policyService = oimClient.getService(PolicyDefinitionService.class);
    Line2: AuthzPolicy authPolicy = new AuthzPolicy();
    Line3: authPolicy.setName("Test Authz Policy");
    Line4: authPolicy.setDisplayName("Test Authz Policy Dsp Name");
    Line5: authPolicy.setDescription("Test Authz Policy Description");
    Line6: Feature feature = oimClient.getService(Feature.class);
    Line7: Action featureAction = feature.getAction(FeatureManagerConstants.Features.USER_MGMT.getId());
    Line8: List<Action> actions = new ArrayList<Action>();
    Line9: actions.add(featureAction);
    Line10: authPolicy.setActions(actions);
    Line11: policyService.createPolicy(authPolicy);
    Exception: oracle.iam.platform.utils.NoSuchServiceException: java.lang.ClassNotFoundException: oracle.iam.authzpolicydefn.api.FeatureDelegate
    The above exception is throwing at Line6.
    Let me know if anyone implemented.
    - Kalyan Mutya

    If you are using JDeveloper , can you able to get class after giving "." .If yes no than it is the problem with the jar file you are using .Check whether you can able to import oracle.iam.authzpolicydefn.api.Feature.
    Thanks ,
    Animesh anand

  • Problem with Acess policy based Provisioning using DBConnecor in OIM 11g R2

    Hi,
    I am doing Access policy based Provisioning using DB Connector 9.1.0.5.0 in OIM 11g r2.
    it is throwing ITResource Instance with key 0 does not exist. but there no option to select it resource in Process form via Acesspolicy.
    in Application instance form there is a form in that it-resource field is available with default value 0. i am trying to update this value it is not updating . at the time of triggering access policy i am getting following error.
    [XELLERATE.SERVER] [tid: [ACTIVE].ExecuteThread: '8' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oiminternal] [ecid: 0000JdMSEGQApIGqywYfMG1GU6ud000002,0] [APP: oim#11.1.2.0.0] Class/Method: APIUtils/createApplicationInstance encounter some problems: ITResource Instance with key 0 does not exist.[[
    oracle.iam.provisioning.exception.ITResourceNotFoundException: ITResource Instance with key 0 does not exist.
         at oracle.iam.provisioning.util.ApplicationInstanceUtil.validateITResource(ApplicationInstanceUtil.java:119)
         at oracle.iam.provisioning.impl.ApplicationInstanceServiceImpl.addApplicationInstance(ApplicationInstanceServiceImpl.java:70)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
         at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
         at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
         at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:25)
         at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
         at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
         at $Proxy455.addApplicationInstance(Unknown Source)
         at oracle.iam.provisioning.api.ApplicationInstanceServiceEJB.addApplicationInstancex(Unknown Source)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
         at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
         at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
         at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
         at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
         at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
         at com.oracle.pitchfork.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:34)
         at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
         at com.oracle.pitchfork.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:42)
         at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
         at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
         at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
         at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
         at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
         at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
         at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    its urgent requirement.
    Thanks,
    Edited by: 853559 on Oct 12, 2012 2:25 PM

    You can re-visit access policy It will have the Process form where you can provide the access policy and save it. Access policy is already created so you can modify access policy and open the process form select IT Resource and save it.
    Another way to write pre-pop adapter for populating IT Resource on the process form. But I am sure you can provide it resource via access policy.
    ---nayan

  • How to assign approvaal policy for a request template in OIM 11g

    When I request for resource in OIM 11g, It's always going for Default approval of xelsysadm.
    I want this Request level approval must go to "Beneficiary Manager approval". While requesting I am selecting request template (which I created) for Provision resource as Request type.I have already set "Beneficiary Manager approval" as request level approval for this request template.
    I have created one approval policy, How can I assign this approval Policy to request template so that When i submit this request , it should go to my Manager approval.
    Regards,
    J

    Hi Rajiv,
    I do not need approval of Operational level. I want to stop the approval process after request level approval.
    Here you are saying to create a new approval policy and set as AUTO Approval as true. There are some default approval policies which comes with OIM 11g and one of the approval policy is trigeering the Operaional level approval. So I think I do not need to create new approval policy and I can use exsting approval policy and modify as you suggested selecting AUTO APPROVAL and create approval rule as request template=="XYZ".
    I am not sure which default approval policy trigeering the Operational approval now. Can you pls tell me that?
    Can you pls confirm that, there is only way to restrict Opertional Approval by selecting "AUTO APPROVAL" true and put the approval rule as request template=="XYZ"
    Thanks Rajiv for your help all the time.

  • Custom OWSM Authorization Policy Not Visible in OSB 11g

    I am trying to configure custom OWSM authorization policies to grant web service access in OSB to userids associated with custom WebLogic groups. Both OSB and SOA are version 11.1.1.5 with an Oracle Enterprise 11g database backend. To help rule out some possible operational errors, here are things that ARE working with the combination of SOA and OSB servcies:
    * the underlying SOA service functions in the /em console test page
    * the OSB proxy service works from the /sbconsole test page with OWSM oracle/wss_username_token_policy enabled
    * the oracle/log_policy can be added to the OSB business service and generates log entries
    * the outer proxy service can be successfully invoked from a remote client with no security policies,
    with HTTP transport security and authorization policies and with OWSM authentication policies
    attached (given the correct request payloads)
    These findings would appear to rule out connection errors from the OSB engine to the jdbc/mds/owsm DataSource or proper startup of the "OWSM Policy Support in OSB Initializer Application" service within WebLogic. (By the way, that deploys with a typo in its registered name -- "Aplication" with a single p.)
    Here are the steps that were performed:
    1) created group myfirmIdentityData in WebLogic console (/console)
    2) created userid myappuser in WebLogic console
    3) added myappuser to the myfirmIdentityData group in WebLogic console
    4) cloned the oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData
    using the Fusion console (/em on the SOA domain)
    5) edied myfirm/authorize_IdentityData to add the "role" myfirmIdentityGroup to the
    list of permitted roles (***)
    *** note -- "roles" referenced within the OWSM policy configuration dialogs actually correspond to "groups" at the WebLogic Server level. A bit confusing at first but harmless.
    6) accessed the SOA service in the Fusion console (/em), clicked on the Policies tab and verified
    the myfirm/authorize_IdentityData policy is available for application to the SOA service (BUT DID
    NOT ATTACH IT HERE -- I'm trying to attach it at the "outer" layer in OSB, not SOA Suite)
    7) accessed the Service Bus console (/sbconsole), started a change session, selected the
    proxy service, then clicked on the Policies tab, then clicked the Add button in the
    Service Level Policies section
    At that point, the only services listed are the factory supplied oracle/********* policies. There are two pages listed and flipping between the two doesn't show any other policies other than the oracle/***** policies.
    I even tried stopping and starting the domain thinking maybe OSB caches all of the OWSM policies at startup rather than querying the mds_owsm schema dynamically to no avail. No myfirm/****** policies are displayed after a domain restart.
    Any insight?
    Thanks.

    Once again, I wound up opening a Support Request with the TAC for direction on this issue. The policies were not appearing for assignment to OSB proxy / business services because they were being created against the wrong type of object within OWSM.
    In a nutshell, policies in OWSM can be created to be applied against:
    * Components --- only usable against SOA services
    * Service Endpoints --- against URLs used as access points into services
    * Service Clients -- against consumers of services as identified by credentials
    * All -- all of the above
    However, policies built against Components can only be applied to SOA composite services. When I cloned the existing oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData policy then limited it to the myfirmIdentityGroup group, that policy would only be assignable to SOA composities since it applied to only Components.
    To allow the group based authorization policy to be enforced in the outer OSB tier, the oracle/binding_authorization_permitall_policy was cloned to myfirm/authorize_IdentityGroup. That policy was defined to apply to endpoints and once saved, appeared in the GUI of the Service Bus console to assign to the proxy service for the service being implemented. A second component policy named myfirm/componentauthorize_IdentityGroup was cloned from oracle/component_authorize_permitall_policy to perform the group authorization at the SOA layer.
    A different issue is being encountered configuring the OSB business service to forward the OWSM headers from the outer proxy service to the SOA service so the authorization succeeds at the inner layer but that's a different problem. With the SOA layer authorization policy disabled, client tests to the proxy service function correctly with a userid in the myfirmIdentityGroup group and generate an authorization failure when another client credential is used that does not belong to myfirmIdentityGroup.

  • How to pass the value from DB in Approval Policy Rule OIM 11g R2

    Hi,
    I need to get the value of rule condition in Approval policy from DB.
    Please let me know how to achieve this. I am using OIM 11g R2.
    Thanks

    How to passing the textbox value within the jsp page
    without using javascript or reload the page.No, jsp executes on the remoter server, the text box is on a client machine, you need to send information to the server over the network, http does this with a request, which will reload the page.....................

  • Authorization Policy for Modify user in OIM 11gR2

    Hi Experts,
    Requirement: I want the users in particular org not to modify certain user attributes and users from other org should be allowed to modify user.
    I have created user1 whose organization is org1 and role is role1. I have also created user user2 under same org and same role. I assigned the Admin Role "User Administrator" role to user2.
    So If user2 from same org1 tries to modify certain attributes then OIM should throw error message. I have completed till this.
    But when the user from diff org say org2 with Admin Role "User Administrator" tries to modify user, OIM is not allowing to modify user which should not be the case.
    I want the Auth Policy to trigger only for Org1. I have specified the below condition for my custom policy in OES admin console but it is not triggering.
    The condition is
    IF ( OrclOIMTargetEntity = 'true' AND OrclOIMUserOrganizations = 'true' AND STRING_AT_LEAST_ONE_MEMBER_OF(OrclOIMUserOrganizations,['25','1000000']) = true )
    What am I missing?
    Any help is much appreciated.

    Hi
    Can anyone let me know the steps to restrict modify user operation for the users belonging to specific organization in OIM 11gR2. The condition which I specified under Authorization Policy in APM console is not triggering at all.
    Thanks!

  • OIM Authorization policy for specific resource

    Hi gurus,
    Can we create an authorization policy in OIM 11.1.1.5 for allowing resource administrators to add/modify a specific resource only?
    Example: For all users, Admin user-A should be able to add/modify AD resource only.
    Admin User-B should be able to add/Modify iPlanet resource only
    Thanks in advance.
    -J

    OIM 11.1.1.5 authorization policies do not extend to resource operations, only operations on OIM users and roles. For restricting operations on resources you can set data object permissions on the resource objects themselves. An alternative approach in OIM 11.1.1.5 is to provision resources via requests, where you can limit requests to work with specific allowed resources and be accessible to specific administrators.

  • Error in creating approval policy in OIM 11g

    hi...
    i am trying to create approval policy in OIM 11g. But after giving the details for first step, it gives the following error-
    "Approval policy validation failed with oracle.iam.request.exception. ApprovalPolicyServiceException:An error occured while searching request model <policy name>"
    Please let me know the coz of this error and the way to resolve it.

    If you are using JDeveloper , can you able to get class after giving "." .If yes no than it is the problem with the jar file you are using .Check whether you can able to import oracle.iam.authzpolicydefn.api.Feature.
    Thanks ,
    Animesh anand

  • OIM 11g R1 - Container for Roles

    Hi,
    is it possible to create container for roles?
    For Example:
    Container1: RoleA, RoleB, RoleC
    Container2: RoleV, RoleY, RoleZ
    The reason is, i want to create authorization policies, which allows the user to assign specials roles. The problem is, that a lot of roles will be added during the operation. This means, if a new role will be created, i have to edit the authorization policy
    The best way is, i assign a Role-Container to the authorization policy. If i create a new role, i add the role to the special container.
    Is this possible in OIM 11g R1?
    Edited by: 960944 on Apr 3, 2013 5:18 AM

    Yes, you can do that using authorization policy.
    Try this:
    Create a Role called 'X'
    Create a Authorization Policy of Role Management Entity Type called 'X Role Authz Policy' and under the Permission tab:
    Grant Modify Role Membership, Search for ROle, View Role Detail and View Role Membership
    Under Data Constraints: Add all the roles that a user can self assign except SYS ADMIN role.
    Under Assignemnt: Add Role 'X'
    Save and apply to test it.
    You can have a look at the default Role Management All Users Policy for reference.
    Regards,
    Sunny

Maybe you are looking for