Access Policy and Resources -11gR2

Similar Messages

• Is it possible to delete an Access Policy on OIM 11gR2?

  Hello,
  Is it possible to delete an Access Policy on OIM 11gR2?
  I have created an Access Policy and associated it with a Role.
  But now, due to changes, this Role should not trigger an Access Policy anymore.
  I haven't found a way to disassociate the Access Policy from the Role neither a way to delete the unnecessary Access Policy.
  Thanks,
  Adriano.

  Hi,
  As far as I know, deleting an access policy is not possible. One solution would be you can create a dummy role which you will never use and remove your existing role from the access policy and assign this dummy role to the policy and save it. That should stop the auto triggering.
  Thanks,
  $id

• In Cisco IronPort WSA, what is the difference of an Access Policy, and an Identity?

  Hi Everyone,
  I am currently setting up a custom access for a particular subnet.
  What I did is to create a new identity for them, then allowed only specific URL categories for them. Note that the subnet is already allowed to access the internet through Global access policy.
  What will be the difference if I rather created a new Access Policy for the subnet?
  And technically, what's the difference of an Access Policy and an Identity?

  This was not my question. I asked if using the Marginal in Printing will you have a frame around the image?
  I think you're confused about which thread you are posting to.  "Wully bully" started this thread by asking about identify plates and watermarks, and I replied to Wully bully's post.
  Nevertheless, your question too about printing is best asked in the main LR forum, not here.

• ISE Admin Menu Access Policy and Network Resources

  Hello Board,
  Does someone experience the same issue as me, if using an Admin Menu Access Policy?
  First of all, I'm using the latest ISE release (1.1.3.124 with patch 1).
  I created a custom Administrator Menu Access Policy (Admin Access -> Authorization -> Permissions -> Menu Access).
  But basically I allowed (show) all menu items.
  Then I bind this permission profile to an Admin Authorization Policy
  Everything works very well, but I have issues, if I want to administer "Network Resources", if I'm using this admin menu access
  - In "Network Devices", there is no Menu bar (no "add", "delete" or "edit" button)
  - In "Network Device Groups", there is just the folder "Groups" on the left side, but there is no way to create anything or navigate into the groups
  I'm not quite sure if this is a configuration fault on my side or just some kind of bug.
  By the way - I'm using the latest firefox.

  As far as I know everything seems fine to me from the configuration  side. You can try downgrading the ISE version to 1.1.2 patch 5 and also  try changing the browser which might help.

• Access Policy and Process Task

  Hi,
  I created "access policies" to provision resources when a user is associated with a role with the name of this resource.
  When I manually assign the role, the access policy works properly and the resource is provisioned.
  When the role is assigned through a process task, the access policy does not work properly and the resource is not created.
  Why this happens?
  How can I make the process task trigger the access policy when assign the role?
  TKS
  Edited by: raraujo on Oct 15, 2012 3:36 AM

  Better assign Role using group membership rule. Also, can you check if role is assigned using process task, is it getting assigned to user properly?
  Which OIM you are using? If it's 11.1.1.5 then apply BP03 patch or BP04 patch.
  regards,
  GP

• Access Policy provisioning resources multiple times...

  Hi All
  I have AD User and Exchange provisioning using an Access Policy upon trusted reconciliation. Suddenly after creating a user through trusted recon it started provisioning AD user multiple times.This behavior is inconsistent.
  I have checked all the roles, rules and access policies.
  However, if I create the user manually, it works fine and as expected i.e it provisions only one resource.
  Please let me know if someone has observed this weird behavior.
  Regards
  user12841694

  I'm having the same problem:
  The first policy must create a resource.
  And the following policies should create childs on the resource.
  The problem here is that when policies will add the childs, the resource is not provisioned yet.
  And then each one will create a resource.
  When the resource is already provisioned, the policies update this resource.
  How can I fix this?
  tks

• Fair Access Policy and Ipod...I Need Help!!

  I am having such trouble getting videos to download to my Ipod. I use Direcway for my internet service and they have some policy that only allows a certain amount of download time (169mg in 4hrs?) called Fair Access Policy..its a bunch of crap if you ask me..http://www.copperhead.cc/fap.htm
  So anyhow..I have been trying to down load the first part of Lost for 5 days now and it gets almost to the end and I get a error code -39 and it stops everything. I don't know what else to do. I called direcway and they said to download a download messenger?? does something like this work with Ipod?
  Also, I have purchased songs that are in line for download and I can't get them to download cause I can't get them past the Lost download...
  I really don't know what to do..
  Does anyone know how to stop the start of Lost so I can get the songs that are in line??
  Thanks and I hope this wasn't to confusing..
  Kathy

  First you will need to install iTunes if you have not already.
  Second to reset the iPod back to factory settings you will need to connect the iPod to the computer then open iTunes. In iTunes select the iPod and goto the Summary tab which should be the first one to open. Below the Check for Update button click on Restore. This will reset the iPod back to factory settings so you can start fresh.

• OIM 11g R2 - AD provisioning based on Role and Access Policy

  Hi, for Active Direcotry integration i used some prepopulation plugin for populationg resource form (based on http://fusionsecurity.blogspot.sk/2013/01/populating-request-attributes-in-oim.html).
  It's work fine - requested account was fully provisioned.
  Can i use this plugins for Role based provisioning?
  I try to create access policy and associated role but when attached the role to the user and run Evaluate User Policies Job, account can't be provisioned.
  In diagnostic.log i found.....
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Immediate consequences are returned with event - InitiatePolicyEvaluationAndProvisioning
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Next Waiting child process is ..........6380 sync = false
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] First Waiting child process is ..........6380
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel executing default validation with process id, event id, entity and operation 6,380.0.Resource.ACCESS_POLICY_BASED_PROVISION
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel completed the child orchestration - 6380.6379
  [oracle.iam.platform.kernel.dao] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Inserting records for orchestration cleanup
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Completed orchestration with action result - 113

  Hi, all
  I try to fill Access policy Process Form. Account request was created and provisioned when field AD Server and Organization Name was filled in, but pre-population plugin doesn't fired
  The question is.... How can i use pre-population plugin for populating request dataset used with request generated by access policy....
  Is it possible to use plugins for requests generated based on access policy?
  a.

• OIM iPlanet Resource revoked using access policy

  Hi,
  I had created a group and access policy based upon which i tried to provisioned a iplanet resource to a user.
  For this I had created a UDF(say type with value C) and created a rule based on which user is assigned to group say business and also iPlanet resource is provisioned to user
  As I Edit the profile and clear UDF. User is removed from group and also iPlanet resource is revoked.(In Access Policy revoked if no longer applied)
  I am able to do this task Successfully But If iPlanet resource is already allocated to user and I update the UDF(value C) user is assigned to group and iplanet is already assigned to user(muliple resource UNTICK). and now if i again Updated the UDF(mean clear it) user is removed from the group but iPlanet resource is not revoked from the user......
  Can somebody tell me why it is happening??? wheather its a bug in OIM or I am missing something...
  Thanks
  Anil

  If I understand your requirement correctly, when you change the value in process form edit from C to other, iPlanet resource is getting revoked.
  But when you change the the same value from user profile edit, the iplanet is not getting revoked right?
  As per my knowledge I can say, when you update the value for UDF in user profile, you can use triggers USR.TRIGGERS which will update the process form. In this case your process form will gets updated by default.
  This in turn triggers access policy and revokes the resource.
  Hope this helps you

• Linking resource accounts to access policy from a database

  As part of the seeding process, we assign roles to the users and then run the recon to assign resources to the user. We have an access policy which is supposed to assign AD resource when a User has an Employee role. After we seed all the existing users, we enable to policy to assign AD for the new users, but since we recon the user's instead of access policy, it doesn't link the access policy to resource account.
  How can I link those two in the database so next time when someone is removed from the Employee role, it will also remove the AD account. I tried setting the pol_key attribute in UD_ADUSER with the id of the policy found in table pol but that didn't help.
  Thanks

  As part of the seeding process, we assign roles to the users and then run the recon to assign resources to the user. We have an access policy which is supposed to assign AD resource when a User has an Employee role. After we seed all the existing users, we enable to policy to assign AD for the new users, but since we recon the user's instead of access policy, it doesn't link the access policy to resource account.
  How can I link those two in the database so next time when someone is removed from the Employee role, it will also remove the AD account. I tried setting the pol_key attribute in UD_ADUSER with the id of the policy found in table pol but that didn't help.
  Thanks

• Provision to target system via access policy

  I am attempting to provision to Active Directory via an access policy and membership rule in OIM11gR2.  I have a couple different issues associated with this process. 
  First,  I have a membership rule that works fine.  All members of a certain organization are automatically assigned a certain role.  My access policy is set to provision an AD account to any member that is assigned the same role from the membership rule.  This access policy does not seem to get triggered.  The access policy is set to run with no approval, retrofit access policy is enabled, and it is set as priority 1 with "revoke if no longer applies" checked.  It is also assigned the Active Directory Users process form.  I cannot determine why this access policy is not being triggered to provision the role members to AD.  I have manually run the Evaluate Users Policies several times with no affect. 
  I believe this may be happening because the default prepopulate adapters are not working or are not configured correctly.   The 5 mandatory fields each have a prepopulate adapter assigned to them with the Default rule.  Correct me if I am wrong, but I believe the mandatory fields user id, first name, last name, common name, and user principal name?  The Org name and IT Resource are set as static values within the access policy.  Can anyone assist me in determining (1) why the access policy is not working and (2) why the prepopulate adapters such as ADIDC Populate Form Field for User ID and ADIDC Prepopulate UserPrincipalName for User Principal Name are not working?  Is there additional configuration that must take place with these out-of-the box adapters so they know which values to populate?

  Just verify whether following are check in AD prcess Defn:
  Auto Save Form
  This check box is used to designate whether Oracle Identity Manager should suppress display of the custom form associated with this provisioning process or display it and allow a user to supply it with data each time the process is instantiated.If you select this check box, it designates that Oracle Identity Manager should automatically save the data in the custom process form without first displaying the form. If you select this checkbox, you must supply either system-defined data or ensure that an adapter is configured to populate the form with the required data (since the user will not be able to access the form).If you clear this check box, it designates that Oracle Identity Manager should display the custom process form and allow users to enter data into its fields.
  Auto Pre-Populate
  This check box designates whether the fields of a custom form that:
  Are associated with the process
  Contain fields that have pre-populated adapters attached to them
  Also, while running "Evaluate User Policy" , clear the old time stamp and populate it with current time. Sometime I have seen people are doing mistake.
  ~J

• 8.0.6-119 on S160 can no longer see past the second access policy

  We upgraded an S160 to 8.0.6-119 today and now the appliance is not authenticating groups beyond restricted internet and information technology.  For example Access Policy #6 is called Marketing.  It has access to Streaming Media and Social Media (like youtube, facebook, twitter).  They are the marketing department that needs this access to do their job.  The identity policy is authenticated_users but it keeps falling under the last access policy "Global Access Policy" which results in request blocked based on URL category.
  I just don't get it.  Authenticated Users is selected to windows realm which the wsa joined to the domain and has 3 DC's and a CDA virtual appliance tied to it.  I don't see that being the issue because the policy trace correctly brings back all AD groups the user is tied to.  The scheme is Use Kerberos or NTLMSSP.  
  Next under access policies there are 14 of them before the global policy.  They are all authenticated users and pointed to the proper active directory groups.  Marketing is 6 out of 14 (not counting the non-numbered Global Policy at the bottom).
  So what could the issue be?

  I opened a case with TAC but have not heard back.  However it seems things are working now.  Perhaps they contacted in and corrected an issue but haven't had the chance to tell me what they did.  I have remote access enabled for Cisco TAC.
  Now when I do the policy trace, It actually applies the Marketing access policy, and AVC actually see's this is Facebook General (Facebook) in this case.  Before I think it said none for everything and access policy was global.

• Server does not support setting more than 5 shared access policy identifiers on a single container

  Hi,
  I upload a video file to a new Asset. I then attempt to create a streaming URL by creating an Access Policy and then a Locator, which I use to generate the URL used for streaming.This works great. Until the 6th time you execute
  that code against the same Asset. Then you receive this error:
  "Server does not support setting more than 5 shared access policy identifiers on a single container."
  So, that's fine. I don't need to create a new AccessPolicy everytime, I can reuse the one I've created previously, build a Locator using that same policy. However, even then, I get the error about 5 shared access policies on a single container.
  Is this the Lmitation of media service? or am I missing something?
  Following is the code I used for this:
  if (AssetId != "")
                  inputAsset = (from a in _context.Assets
                                where a.Id == AssetId
                                select a).FirstOrDefault();
                  policy= (from a in _context.AccessPolicies where a.Name==inputAsset.Name select a).FirstOrDefault();
                  var assetFile = inputAsset.AssetFiles.Create(Path.GetFileName(singleFilePath));
                  var locator = _context.Locators.CreateLocator(LocatorType.Sas, inputAsset, policy);
                  assetFile.Upload(singleFilePath);
                  locator.Delete();
                  MediaElement media = new MediaElement();
                  media.AssetId = inputAsset.Id;
                  media.Title = Path.GetFileName(singleFilePath);
                  var result = Save(media, singleFilePath);
                  return inputAsset;
              else
                  inputAsset = _context.Assets.Create(User.Identity.Name, AssetCreationOptions.None);
                   policy = _context.AccessPolicies.Create(
                                      inputAsset.Name,
                                      TimeSpan.FromDays(30),
                                      AccessPermissions.Write | AccessPermissions.List
  | AccessPermissions.Read | AccessPermissions.Delete);
                   var assetFile = inputAsset.AssetFiles.Create(Path.GetFileName(singleFilePath));
                   var locator = _context.Locators.CreateLocator(LocatorType.Sas, inputAsset, policy);
                   assetFile.Upload(singleFilePath);
                   locator.Delete();
                   policy.Delete();
                   MediaElement media = new MediaElement();
                   media.AssetId = inputAsset.Id;
                   media.Title = Path.GetFileName(singleFilePath);
                   var result = Save(media, singleFilePath);
                   return inputAsset;

  Hi,
  I found some information related to
  Stored Access Policy , Shared Access Signatures   please check if it helps.
  Regards,
  Shirisha Paderu.

• How to prepopulate child process form in access policy

  Hi,
  I have different groups in access policy and corresponding to each group we have different roles. This group and role mapping is stored in a lookup.I have to fetch the value from the lookup to the process form child table according to the group assigned.
  Please suggest how to do this.
  Thanks in Advance.

  I had similar requirement like yours in my previous project. Check the code below and modify the same to suit your requirement.
  public void AddProcessChildData(long pKey, tcDataProvider tcdp, String lookupName, String Role, String childTableCoulmnName ) throws Exception {
            try {
                 if(Role.trim().length()!=0)
                 tcLookupOperationsIntf lookupIntf = (tcLookupOperationsIntf)tcUtilityFactory.getUtility (tcdp, "Thor.API.Operations.tcLookupOperationsIntf");
            tcFormInstanceOperationsIntf f = (tcFormInstanceOperationsIntf)tcUtilityFactory.getUtility(tcdp, "Thor.API.Operations.tcFormInstanceOperationsIntf");
            tcResultSet lookupRes = lookupIntf.getLookupValuesForEncoded(lookupName, Role);
            tcResultSet childFormDef = f.getChildFormDefinition(f.getProcessFormDefinitionKey(pKey),f.getProcessFormVersion(pKey));
            long childKey = childFormDef.getLongValue("Structure Utility.Child Tables.Child Key");
            logger.info("Child Key::"+childKey);
            Map attrChildData = new HashMap();
            logger.info("No of Rows::"+lookupRes.getRowCount());
            for(int i=0;i<lookupRes.getRowCount();i++)
                 lookupRes.goToRow(i);
                 String Decoded = lookupRes.getStringValue("Lookup Definition.Lookup Code Information.Decode").trim();
                 logger.info("Decoded Value::"+Decoded);
                 attrChildData .put(childTableCoulmnName,Decoded);
            f.addProcessFormChildData(childKey,pKey,attrChildData);
                 else
                      logger.info("User does not have any role. Can not add Child Data");
            }catch (Exception e){
            e.printStackTrace();

• Android MS RDP - RPC Error: Your connection was denied because of a Resource Access Policy (TS_RAP). Please contact your server administrator. (2147965402).

  I love iTap Mobile.  Paid for the app.  Sorry to see them discontinue it, but now I know why.  Microsoft bought them out!  But even though free, I am getting an error: RPC Error: Your connection was denied because of a Resource Access
  Policy (TS_RAP). Please contact your server administrator. (2147965402).  I worked with iTap to fix this so I guess they sold Microsoft their older buggy code...  Microsoft, please fix!
  PS: This is the Android version.  Mac and iOS are both okay.
  EDIT:  After an update a few months ago, iOS is no longer working.  Not sure if the problem is related to the Android MSRDP issue.
  UPDATE - Relevant posts (need Android RDP software engineer to fix):
  Event Viewer Log when using Android client:
  The user
  "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
  is most likely for logging into RD Web - icons shows up).
  The
  user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
  The following error occurred: "23002".  (This is after clicking on any
  of the icons).
  I
  think the Android MS RDP client is providing the incorrect resource.  It shouldn't be "localhost".
   It should be the RD Connection Broker's hostname, I believe.
  Here's what it should look like (connected using a Windows PC going
  through the RD Web portal via Internet Explorer):
  The user "DOMAIN\testuser", on client computer "10.x.x.x", met connection
  authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
  The user "DOMAIN\testuser", on client computer "10.x.x.x", met resource
  authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
  The user "DOMAIN\testuser", on client computer "10.x.x.x", connected
  to resource "rdsfarm.domain.com".
  Stephan,
  Do you have any way to contact the software engineer who worked on the Android version of the RDP client?  Please
  have them read this thread.  They need to fix the hard coded "localhost" resource to be a variable (namely whatever the user put in for the server).
  This is why the MS RDP app is failing in situations where the FQDN for the RD Gateway and Connection Broker uses
  the same host name.
  Again, this is not a configuration problem on our end as it works as intended with the native Windows RDP client
  as well as the Mac and iOS version of the mobile RDP client (all based on iTap Mobile's RDP app).
  This is a problem specific to the Android RDP app.
  PS: No matter how hard I try, the WYSIWYG editor is not very WYSIWYG at all, and so everything here looks messed up even though it looked right when I posted it (it is deleting new blank lines I'm inserting to make it spaced out and easier to read). See
  below to read the post in context.

  Thanks for the bumps, everyone.  I haven't check this thread in a while because I basically gave up on Microsoft's ability to respond.  Unlike paid apps, there's no number to call or ticket to open when an app like this malfunctions.
  Just to give you an update, iOS users started having issues connecting a few months ago.  I don't remember what version started this.  I'm not sure if it's the same problem.
  Also, the newest version now gives a slightly different error message:  RpcOverHttpEndpointException: 2, Your connection was denied because of a Resource Access Policy (TS_RAP).  Please contact your server administrator.
  For Android users, I am starting to recommend Xtralogic Remote Desktop Client.  It's a paid app, but it works great.  I don't know of any alternative for iOS.
  MSRDP for Mac OSX (was also an iTap application) continues to work throughout the many updates.
  We need a software engineer from MS to read my first post.  All the information that will point to a fix is there.  I strongly believe someone hardcoded the string "localhost" instead of using a variable to point to the FQDN of the rdsfarm
  name.
  Here's that info again (copied/pasted).  It doesn't take an engineer to understand the issue.  If you know how to decipher Event Logs, you can see where the problem is.
  Event
  Viewer Log when using Android client:
  The
  user "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
  is most likely for logging into RD Web - icons shows up).
  The
  user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
  The following error occurred: "23002".  (This
  is after clicking on any of the icons).
  I
  think the Android MS RDP client is providing the incorrect resource.  It shouldn't be "localhost".
   It should be the RD Connection Broker's hostname, I believe.
  Here's
  what it should look like (connected using a Windows PC going through the RD Web portal via Internet Explorer):
  The user "DOMAIN\testuser", on client computer "10.x.x.x",
  met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
  The user "DOMAIN\testuser", on client computer "10.x.x.x",
  met resource authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
  The user "DOMAIN\testuser", on client computer "10.x.x.x",
  connected to resource "rdsfarm.domain.com".