A question regarding authorisation policies in OIM 11g

Similar Messages

• Error while creating authorisation policy using OIM 11g API

  Hi,
  We have a requirement to create ‘Authorization Policies’ (assign Data Constraints, Permissions & Assignments) using OIM 11g API’s.  I am using ‘oracle.iam.authzpolicydefn.api.PolicyDefinitionService & oracle.iam.authzpolicydefn.vo.AuthzPolicy’.  But when I am trying to attach Entity/Feature (User Management) to authorisation policy, it is throwing exception.  Below is the code snippet which I am trying to implement.
  Line1: PolicyDefinitionService policyService = oimClient.getService(PolicyDefinitionService.class);
  Line2: AuthzPolicy authPolicy = new AuthzPolicy();
  Line3: authPolicy.setName("Test Authz Policy");
  Line4: authPolicy.setDisplayName("Test Authz Policy Dsp Name");
  Line5: authPolicy.setDescription("Test Authz Policy Description");
  Line6: Feature feature = oimClient.getService(Feature.class);
  Line7: Action featureAction = feature.getAction(FeatureManagerConstants.Features.USER_MGMT.getId());
  Line8: List<Action> actions = new ArrayList<Action>();
  Line9: actions.add(featureAction);
  Line10: authPolicy.setActions(actions);
  Line11: policyService.createPolicy(authPolicy);
  Exception: oracle.iam.platform.utils.NoSuchServiceException: java.lang.ClassNotFoundException: oracle.iam.authzpolicydefn.api.FeatureDelegate
  The above exception is throwing at Line6.
  Let me know if anyone implemented.
  - Kalyan Mutya

  If you are using JDeveloper , can you able to get class after giving "." .If yes no than it is the problem with the jar file you are using .Check whether you can able to import oracle.iam.authzpolicydefn.api.Feature.
  Thanks ,
  Animesh anand

• Question regarding Request Notification Template - OIM 9.1.0.2

  Hi All,
  I have a question regarding notification generated when a request is raised. Currently, the body of the notification is referring the requestor who raise the request (the body of email has attributes like <%Requester Info.First Name%>, <%Requester Info.Last Name%>). Its fine if the requestor is raising the request for him/her self. However, if the requestor is raising the request on behalf of another user, then this notification is causing confusions, since its referring the requestor only in its body and not the beneficiary.
  Is there a way to include the end beneficiary's details in the body of the notification?
  Please help in this regard
  Regards
  Vinay

  Hi Gurus,
  Any idea on this?
  Regards
  Vinay

• Regarding Authorization policy and Roles in OIM 11g

  Hi,
  In OIM 11g Admin interface, is there a way to find out what all authorization polices, a role has been assigned to ?.
  I am asking this because, if you search for a user, you will know what all roles he is a member of, and similarly if you search for a role, you will know who all users are members of that role.
  Similarly, if you search for a Authorization policy, you will know what are roles are assigned to this policy. But if I search for a role, I am not able to find what all authorization policies has been assigned to this role.
  Looking forward to hearing from you,
  Many thanks in advance

  I understand your concern. But, this feature has not been available
  --nayan                                                                                                                                                                                   

• Oim 11g Custom Challenge questions

  hi,
  does oim 11g allows users to setup custom challenge questions.
  Sun Idm does have this feature..
  any idea on Oracle Idm..
  thank you.

  How to add custom challenge questions in OIM 11g
  Find below link for 11gR2
  http://srini-bellamkonda.blogspot.in/2012/11/adding-custom-challenge-questions-in.html

• Questions against OIM 11g

  Hi All!
  Is it possible to add user photo to user profile in new OIM 11g? My second question is: there is possibility to add attachment to approvall form (like word doc), or digitally sign approval form?
  Any help will be nice
  Best
  mp

  MariuszP wrote:
  Hi All!
  Is it possible to add user photo to user profile in new OIM 11g? My second question is: there is possibility to add attachment to approvall form (like word doc), or digitally sign approval form?Without customization:
  No photo http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14316/usr_mangmnt.htm#BGBGFJAH
  No digitally signed approval form
  No attachments

• How to create Approval Policies using API - OIM 11g R2

  Hi,
  Could you please let me know how to create the Approval Policies using java API code in OIM 11g R2.
  Thanks

  Hi Karthik,
  Thanks for sharing the link. Could you please let me know how to specify the rule condition while creating the Approval Policy using the API given in this link.

• OIM 11g Approval Workflow Notification questions

  Hello.
  I am working with an OIM 11g approval workflow. The workflow will flow from one group to another, and if one user in each group approves it, it is approved. Because I assigned it to groups, the notifications are going to every user in each group.
  Is it possible to send a notification to only a single user within a group, instead of everyone? Does auto claim do this?
  Is it possible to send a different notification if the ApprovalTask is rejected versus approved?
  Thanks.

  If I understand correctly, you want to send the notification only to the user who has approved the request and not to all in the group. You can do it by NOT using the notification tab in the .task but by using EmailNotificationService after the .task in BPEL. There you can read the data from payload on who approved the request and can send the notification only to that user. Same way for rejects. You can configure that.
  1. After your .task completion you can have a decision box which can check the value for 'outcome' and then direct it to appropriate path for appropriate notification.
  or
  2. Based on outcome you can set the template in a variable and then in the notificationservice use that variable.
  -Bikash

• OIM 11g - Install Question

  Hi All,
  Is it possible to install just the files for an OIM 11g installation, but connect it to an existing database?
  For example, if I have a current environment, and I managed to break my WLS to the point where I can't start it, is there any way I can reinstall Weblogic with OIM/SOA but not lose all my OIM configurations?
  Thanks

  The way to do it is to follow the same procedure which you used while installing a new environment but leave the RCU part where you create the schema(s). Once WLS, IAM, SOA are installed you would have to configure IAM. At that step where you configure IAM via the config wizard and provide the db details, there it would prompt you a warning saying that the database is already encrypted from previous installation and that if you want to continue. If you want to continue then you need to copy the .xldatabase key from the previous installation (fwmconfig folder from Oracle_IDM home if I remember it correctly) into the new installation directory. Once copied, you would be able to start OIM successfully.
  The problem with SOA as I understand is that it does not keep the private key into some key file but rather keeps it into the credential map (in the mbeans). If you look at the cretential map of SOA via EM on you current installation, you would see a bunch of passwords saved there. The problem thus is to get the unencrypted value from that and once new installation is complete (pointing to the existing db), update its credential map.
  I think there should be some jps config for it, but haven't got the time to dig around it. Let us know if you get to find anything.
  HTH,
  BB

• Self Registration in OIM 11g

  Hi,
  Can some one guide me on how to add User defined fields to self Registration page.My requirement is : In self registration form(at the login page),I have to add some UDFs and delete some existing fields.
  2.User should be created immediately - no approval process for user creation
  3.User email address should be the userid/username. All the oim-username properties should apply to user email address.(No duplicate user email address).Please help.
  Thanks.

  Regarding Question 1, Chapter 8 ( managing profile) of OIM 11g user guide should help you here. In summary, You will need to use self service related authorization policies to add udfs to self profile page.
  http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14316/my_profile.htm#CACICCFD
  Regarding Question 3, Please check out 11.5.2 Configuring the Username Policy of OIM 11g user guide.
  http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14316/usr_mangmnt.htm#CHDJGJJA
  You will need to configure EmailIdPolicy as the username generation policy. OIM11g has OOTB validations to enforce email uniqueness.

• OIM 11g R2 -     DefaultRequestApproval

  Hi ,
       I have recently started working on OIM 11g R2 - And I have a question  on approval policies and workflows.
  In OIM I have created a role "RoleA " and I am assigning members(Users) to this Role .And I could see DefaultRequestApproval workflow is getting triggered and task is assigned to Admin users.
  Here my question is - how DefaultRequestApproval is getting triggered when I try to assign members to a Role .And point here to note is I don't have any approval policy defined or configured for this request. I searched Approval Policies in admin console and resulted me Zero records.
  Appreciate your in this regard.
  Thanks,
  Satyendra

  The first item you should look at is the Security Architecture of OIM link (http://docs.oracle.com/cd/E40329_01/dev.1112/e27150/securityarch.htm#CEGCJJHI).  This document will provide you with whether or not a specific action is going to be perform as a direct provision (w/o approval) or through a request based on an individuals Admin Roles assigned to them.
  Next, you need to understand that there are two parts to every request (http://docs.oracle.com/cd/E40329_01/admin.1112/e27149/appr_policies.htm#OMADM2264):
  1.  Request Level - This is more of a generic approval and is generated for every request and is not based on the content.  Typically, clients have an approval policy created to auto approve all the Request Level approvals.
  2.  Operation Level - This is specific to each of the items in a request.  An Operational approval will be generated for each item in the request.  You can create approval policies with rules based on type of request to identify if these will require an approval or get auto approved.
  For your process, you can create an approval policy that is at the Request Level for Assign Role type of request.  Set this to auto approval.  If you don't set an approval policy on the Operation level, it will then do the same type of assignment but use the default Operation approval process.
  By default, if you do not have a rule, it will trigger the defaults where needed.
  -Kevin

• OIM 11g R1 - Container for Roles

  Hi,
  is it possible to create container for roles?
  For Example:
  Container1: RoleA, RoleB, RoleC
  Container2: RoleV, RoleY, RoleZ
  The reason is, i want to create authorization policies, which allows the user to assign specials roles. The problem is, that a lot of roles will be added during the operation. This means, if a new role will be created, i have to edit the authorization policy
  The best way is, i assign a Role-Container to the authorization policy. If i create a new role, i add the role to the special container.
  Is this possible in OIM 11g R1?
  Edited by: 960944 on Apr 3, 2013 5:18 AM

  Yes, you can do that using authorization policy.
  Try this:
  Create a Role called 'X'
  Create a Authorization Policy of Role Management Entity Type called 'X Role Authz Policy' and under the Permission tab:
  Grant Modify Role Membership, Search for ROle, View Role Detail and View Role Membership
  Under Data Constraints: Add all the roles that a user can self assign except SYS ADMIN role.
  Under Assignemnt: Add Role 'X'
  Save and apply to test it.
  You can have a look at the default Role Management All Users Policy for reference.
  Regards,
  Sunny

• OIM 11g R2 PS1 - Bugs fixed info required

  Hi ,
  I have OIM 11g R2 with BP 06 installed on my system and want upgrade to latest version so that majority of bug fixes are incorporated. As both BP07 and PS1 are in market.
  While checking for BP7 fixes we noticed that there are certain fixes that we really require in our application like:
  Bug:16315001 : GTC mapping image on migration to other environment is not displayed.
  Bug:16506870 : De-provisioning of user accounts via the Set User De-provisioned Date scheduled job fails.
  Bug:16347855 : Users are able to submit a request for modify account although nothing is modified on the form fields.
  But while checking for release notes of PS1 (11.1.2.1) i did not notice any such fixes, rather there were some certification exception fixes ,new menu called "Certification" in Sysadmin Console and Introduced new menu called "Inbox" in Identity/Self Service Console
  So my question is that to apply above fixes we need install the BP7 patch separately, considering PS1 is not a cumulative one and then install PS1
  Thanks,
  Puneet

  Hi,
  Check out: http://www.iamidm.com/2013/05/oim-11g-r2-ps1-certification-tab-in.html
  Regards,
  Chinni

• Customizing request datasets in OIM 11g

  Hi Friends,
  I have couple of questions/issues while customizing request datasets in OIM 11g. Can you please help me?
  1) I gave read-only="true" in my request dataset for one of the attribute, but I was still able to edit that attribute value while raising requests.
  2) I gave hidden="true" in my request dataset for one of the attribute, but I was still able to see that attribute while raising requests.
  3) I have around 90 attributes in my request dataset. Is there any way to display category type and under that category display the attrbitues i.e. just like attributes in user profile.
  4) As I have 90 attributes, I am expecting the format will be like first 45 will be shown in left panel(column) and remaining 45 in right panel (column). Instead of this , it is showing first 70 in left panel and the remaining 20 in right panel which is very ugly to see. Is there any way to show frist 45 on left side and remaining 45 on the right side? Please help me.

  Regarding the first two points:
  1) The read only property applies to the approver only, i.e. approver can read and not modify the attribute. It does not apply to the requester. I don't believe you can configure a read-only attribute in the data set.
  2) If you want to hide an attribute, you can restrict it in your request template.

• How to assign approvaal policy for a request template in OIM 11g

  When I request for resource in OIM 11g, It's always going for Default approval of xelsysadm.
  I want this Request level approval must go to "Beneficiary Manager approval". While requesting I am selecting request template (which I created) for Provision resource as Request type.I have already set "Beneficiary Manager approval" as request level approval for this request template.
  I have created one approval policy, How can I assign this approval Policy to request template so that When i submit this request , it should go to my Manager approval.
  Regards,
  J

  Hi Rajiv,
  I do not need approval of Operational level. I want to stop the approval process after request level approval.
  Here you are saying to create a new approval policy and set as AUTO Approval as true. There are some default approval policies which comes with OIM 11g and one of the approval policy is trigeering the Operaional level approval. So I think I do not need to create new approval policy and I can use exsting approval policy and modify as you suggested selecting AUTO APPROVAL and create approval rule as request template=="XYZ".
  I am not sure which default approval policy trigeering the Operational approval now. Can you pls tell me that?
  Can you pls confirm that, there is only way to restrict Opertional Approval by selecting "AUTO APPROVAL" true and put the approval rule as request template=="XYZ"
  Thanks Rajiv for your help all the time.