Access policy or the Applicatios&Gaming setting on E1200

Similar Messages

• Access to update the GRC rule set is limited

  Hello - What is the process (tcode) to see who has access to update the GRC rule set?
  Thanks!

  Hi Sam,
     What is the version of your RAR (CC)? If it is CC 4.0 then you enter the product via tcode and go to rule architect to make changes. If you have CC 5.X then you go through the web browser and go to Rule architect to make changes to the rule set.
  The process to change a rule set is as below:
  1) Creats Function
  2) Create risk
  3) Create Rule
  Regards,
  Alpesh

• In Cisco IronPort WSA, what is the difference of an Access Policy, and an Identity?

  Hi Everyone,
  I am currently setting up a custom access for a particular subnet.
  What I did is to create a new identity for them, then allowed only specific URL categories for them. Note that the subnet is already allowed to access the internet through Global access policy.
  What will be the difference if I rather created a new Access Policy for the subnet?
  And technically, what's the difference of an Access Policy and an Identity?

  This was not my question. I asked if using the Marginal in Printing will you have a frame around the image?
  I think you're confused about which thread you are posting to.  "Wully bully" started this thread by asking about identify plates and watermarks, and I replied to Wully bully's post.
  Nevertheless, your question too about printing is best asked in the main LR forum, not here.

• How to Apply a Newly Created Access Policy on Existing Users in OIM????????

  How to Apply a Newly Created Access Policy on Existing Users in OIM?
  When the rule is getting failed the user is getting removed from the group but resource is not getting revoked. This is happening only for the old uses..for the users which i created now it working fine..i mean its resource is getting revoked.
  (Retrofit access policy" is checked on the Access Policyand Revoke if not longer applied is checked.)
  For the old users i see the POl_Key is null, for new users i see a value '10'. So i updated the pol_key for old users same as it got generated for new users '10'.
  i even updated the form version too but still revoke doesn't work.
  I cant go for the below approach..
  In order to apply a newly created Access Policy on existing users, one has to make sure that:
  1) "Retrofit access policy" is checked on the Access Policy.
  2) Then run the "Set User Provisioned Date" Schedule task to apply the Access Policy on the existing users in OIM.
  Note: After 9.1.0.1 BP03 the access policy execution has been moved to a new scheduled task "Evaluate User Policies" as mentioned inDocument 839368.1 :How to Use Access Policies to Provision with Groups.
  Is there any other approach i can try.. if you have any idea please reply me asap
  Thanks..

  Thanks for the reply kevin..
  We decided to try the Schedule task (Set User Provisioned Date).
  But i see one problem here after seeing this post in metalik --> Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation? [ID 1136540.1]
  According to this post Access Policies framework does not manage users who are obtained either through trusted reconciliation or target reconciliation.
  Is there any custom way to achieve this??
  How does the access policy framework revoke resource work? (revoke if no longer applies)??
  Edited by: IDMuser19 on Jun 21, 2011 11:43 PM

• Issue with UAG/TMG communication to published SharePoint application is blocked by access policy settings

  We have a UAG/TMG server set up with SharePoint published. The UAG is also doing load balancing for the SharePoint farm. We have an MDM application that is trying to connect to our SharePoint but our SharePoint is routed through the UAG. The MDM application
  does not need to be published neither is there any component that can be accessed directly by end users. It is more of a proxy to relay content to mobile devices. It is using 443 and two other secondary ports.
  On the TMG logs, we can see requests hitting the TMG over port 443 from the MDM application server. We can also see that it is trying to be routed to our SharePoint but we get the following error in the TMG log:
  “Filter information: A request from source IP address xx.xx.xx.xx, user to trunk portal; Secure=1 for application SharePoint of type SharePoint15 failed. The endpoint device does not comply with access policy settings ([%PolicyId%]) for session [%SessionId]”
  The source IP is the internal IP of the host running the MDM application. In the UAG side, under the SharePoint publishing rule, for Access Policy Settings we have tried selecting the 'Always' option but that had no effect. It appears like there is a policy
  blocking communication to SharePoint. Does anyone have a suggestion on which policy or where the policy that is controlling this is located so that we can try to resolve this issue? Thanks.

  Looking at the UAG Web Monitor, it says that the access policy is 'Hybrid_Default_Session_Access' and the URL is /_vti_bin/Webs.asmx. 
  We can't find a 'Hybrid Default Session Access' policy. In the Endpoint Policy Settings tab, we tried using 'Always' for the Access Policy for the published SharePoint application but that did not make any difference. 

• OIM Access Policy API

  Hi All
  For oIM 10g, I am looking for an API that can mark the "Revoke If No Longer Applies" flag for all the resources of existing Access Policies.
  Any help!

  Yes. Try this API call -
  updateAccessPolicy
  public void updateAccessPolicy(Thor.API.tcResultSet accessPolicyResultSet,
  java.util.Map attributeList)
  throws Thor.API.Exceptions.tcPolicyNotFoundException,
  Thor.API.Exceptions.tcInvalidAttributeException,
  Thor.API.Exceptions.tcAPIException,
  tcAPIException
  This method updates the attributes of an access policy
  Parameters:
  accessPolicyResultSet - A result set containing at the minimum the access policy key and the rowver of the policy record to update.
  attributeList - A map of name-value pairs, each entry holding an attribute-value pair to set/modify for this access policy. The Attribute names are the String column codes (from the Xellerate metadata). The Attribute Values are the String attributes of the columns to set:
  * Access Policies.Description
  * Access Policies.Name
  * Access Policies.Key
  Throws:
  tcPolicyNotFoundException - if the policy is not in the database
  tcInvalidAttributeException - raise if one of the attributes is not a valid attribute
  tcAPIException - if there is an error retrieving information

• Role getting revoked with Access Policy

  Hi,
  I have a Access Policy which will provision to a Resource Object with only one special role. Whenever a user belongs to the group according to a rule called USR_UDF_GLOBALSTATUS == Active, automatically user is getting provisioned to the Resource object with that Role as per the access policy.In this access policy, "Revoke if no longer applies" option is disabled for that Resource Object.
  Whenever for that user, USR_UDF_GLOBALSTATUS == Active is changed as USR_UDF_GLOBALSTATUS == InActive from reconciliation, the user is removed from that Group. Till here everything is fine. But the Special Role assigned to that user is also getting revoked. I haven't enabled "Revoke if no longer applies" option. But how come the role is getting revoked?
  According to my requirement, that special role should still stay even if the user is removed from the group. Please help...
  - Pavan

  Enable all logging. Check and see if the user was a member of more groups than just the one. There might be more than one access policy for the user, one that gives the resource with a base set of values for the parent form, and then another access policy that has a lower priority that provides the role. Also look at the Xellerate User object and check for any tasks that might be triggered on this change in value as well as other values. Your best bet is to look at the user and all their groups and resources. Then perform your change, and look on their resource profiles both in targets, and on the xellerate user object, and see what all tasks were inserted.
  -Kevin

• Provision Entitlements using Access Policy in OIM & OIA

  Hi All,
  Access policies in OIM does not allow entitlements definition in it such as defining the AD Groups that needs to be attached to the account which would be provisioned on the target resource when the access policy gets triggered. These entitlements definition in OIM is taken care on the Process Form level, whereas in case of OIA the Provisioning polices allow entitlements definition according the resource type in the policy level. It would be of great help if you could help us in understanding how the import and export of access policy data between OIA and OIM would be feasible with these differences in place
  Appreciate any helpful pointer on this.
  Thanks,
  RPB
  Message was edited by: RPB25

  You can edit the Access Policy, select the Resource added-Provide more information, If it has a child table, you can add entitlement to it. you can also add entitlement while exporting OIA policies using accesspolicy api of OIM. But just chek after importing to OIM, the access policies order will be messed.
  sjit

• OIM Access Policy dilemma

  I have a need to use an Access policy for basic account creation but still have a Request workflow for enhanced privileges. The Access Policy needs the Resource and Process forms to both be Auto Pre-populate and auto save. This seems to be a conflicting requirement by the way I understand OIM. Any thoughts on a good work around?
  Kerry

  What version of OIM are you using? And have you made any changes to the web client? (particularly xlWebAdmin.properties, struts-config.xml or the class files?)
  Deborah

• Help Required With Access Policy Trigger On Enable User In Oim 11gR2

  My scenario is:
  We have a created a access policy for the user.
  Scenario1:
  As soon as the role is added to user, the account is provisioned.  -Working
  Scenario 2:
  As the user is disabled, the account gets revoked-Working
  Scenario 3:
  As the user is enabled, the new instance of the account should get provisioned.(It was earlier working in 11G r1)
  "Evaluate User Policies " is running every ten minutes.Manually also triggered it. but the account doesn't get provisioned after the user is enabled.
  Any inputs?
  Please help

  Your Scenario 2:
  As the user is disabled, the account gets revoked-Working ----> ITS WRONG if you are using OOTB feature of OIM
  -> When the user gets disabled, the accounts should get disabled. The result which u are getting above is not OOTB. Have you made any customization to any logic?
  Just for your info, there is one system property which is used to enable disabled resources when the user is enabled:
  http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/system_props.htm#OMADM884
  Enable disabled resource instances when a user is enabled
  If the value is TRUE, then the disabled resource instances are enabled when a user is enabled.
  XL.EnableDisabledResources
  TRUE

• Seggregate Automated User provisioning using Access Policy-Diff Groups/Org

  Hello there,
  By default, the users that are created in OIM - via GTC/via self registration/via Administrator - they all get assigned to "All Users" group. Can we assign these users to a different User Defined group for e.g. "trialgroup", by default and Unassign the "All Users" group. If yes, how can we do that?
  This question is related to another question of mine:
  I want to avoid all the users that are being created in OIM system - to be all together provisioned to a single IT Resource in my case OID directly via Access policy which can be applied on individual group. I want to keep the system extensible for future purposes. And the only way to seggregate direct resource provisioning via access policy is by means of different "groups". So the solution that I could think of was to assign all the users that are being created currently (via GTC and via Bulk Load into OIM) to a separate group and assign an access policy to the group so that in future if any other resource comes into picture then the system can be extended by creating more groups and designing individual separate access policies for the same.
  Does this makes sense?
  Please provide your inputs! Any hints/suggestions/ideas are welcomed.
  TIA,
  - oidm.

  I am actually not very sure, what you want to achieve form the content of that post. If you mean that you would not want every user in OIM to be provisioned to OID automatically through access policy, then I am assuming that in that case you will aplly the access policy to the ALL_USERS group.
  Well I may be missing the flow of your question, but here is what you can do based on my understanding:
  1) Just forget ALL_USERS group. We can no nothing about it. Any User created will be a part of this group and you cannot remove a user from this group.
  2) In place of this what you can do is create another group, for instance trialgroup and make all users a member of this group as well. This would be simple to do. See next step. Use addMemberUser() API of addMemberUser interface.
  3) Create an Entity adapter with a javatask added, which takes an input of UserID, and assigns that user to this group (trialgroup) in OIM using above API. Attach this adapter to the post-insert trigger of the "Users" data object manager. (It also have another ootb Entity adapter which adds all the users to ALL_USERS group).
  4) Attach your access policy to this group.
  5) Now also you are free to extend your system by creating more groups and access policies. It shouldn't be a problem.
  Thanks
  Sunny

• Is it possible to delete an Access Policy on OIM 11gR2?

  Hello,
  Is it possible to delete an Access Policy on OIM 11gR2?
  I have created an Access Policy and associated it with a Role.
  But now, due to changes, this Role should not trigger an Access Policy anymore.
  I haven't found a way to disassociate the Access Policy from the Role neither a way to delete the unnecessary Access Policy.
  Thanks,
  Adriano.

  Hi,
  As far as I know, deleting an access policy is not possible. One solution would be you can create a dummy role which you will never use and remove your existing role from the access policy and assign this dummy role to the policy and save it. That should stop the auto triggering.
  Thanks,
  $id

• Server does not support setting more than 5 shared access policy identifiers on a single container

  Hi,
  I upload a video file to a new Asset. I then attempt to create a streaming URL by creating an Access Policy and then a Locator, which I use to generate the URL used for streaming.This works great. Until the 6th time you execute
  that code against the same Asset. Then you receive this error:
  "Server does not support setting more than 5 shared access policy identifiers on a single container."
  So, that's fine. I don't need to create a new AccessPolicy everytime, I can reuse the one I've created previously, build a Locator using that same policy. However, even then, I get the error about 5 shared access policies on a single container.
  Is this the Lmitation of media service? or am I missing something?
  Following is the code I used for this:
  if (AssetId != "")
                  inputAsset = (from a in _context.Assets
                                where a.Id == AssetId
                                select a).FirstOrDefault();
                  policy= (from a in _context.AccessPolicies where a.Name==inputAsset.Name select a).FirstOrDefault();
                  var assetFile = inputAsset.AssetFiles.Create(Path.GetFileName(singleFilePath));
                  var locator = _context.Locators.CreateLocator(LocatorType.Sas, inputAsset, policy);
                  assetFile.Upload(singleFilePath);
                  locator.Delete();
                  MediaElement media = new MediaElement();
                  media.AssetId = inputAsset.Id;
                  media.Title = Path.GetFileName(singleFilePath);
                  var result = Save(media, singleFilePath);
                  return inputAsset;
              else
                  inputAsset = _context.Assets.Create(User.Identity.Name, AssetCreationOptions.None);
                   policy = _context.AccessPolicies.Create(
                                      inputAsset.Name,
                                      TimeSpan.FromDays(30),
                                      AccessPermissions.Write | AccessPermissions.List
  | AccessPermissions.Read | AccessPermissions.Delete);
                   var assetFile = inputAsset.AssetFiles.Create(Path.GetFileName(singleFilePath));
                   var locator = _context.Locators.CreateLocator(LocatorType.Sas, inputAsset, policy);
                   assetFile.Upload(singleFilePath);
                   locator.Delete();
                   policy.Delete();
                   MediaElement media = new MediaElement();
                   media.AssetId = inputAsset.Id;
                   media.Title = Path.GetFileName(singleFilePath);
                   var result = Save(media, singleFilePath);
                   return inputAsset;

  Hi,
  I found some information related to
  Stored Access Policy , Shared Access Signatures   please check if it helps.
  Regards,
  Shirisha Paderu.

• How can we force the access policy to be re-triggered?

  Hello,
  I set up the access policy (AP) for the dbat connector (with Retrofit).  The AP was triggered correctly to give resource DBAT to the user.  When the user login changed, I called "Delete User" in the dbat connector and the resource is revoked from the user.
  My goal is for the AP to be triggered so that a new dbat account is created for the user with the username.
  However, the AP is not triggered again.  I tracked this by selecting the policy_eval_needed in the user_provisioning_attrs table (1 access policy will be re-evaluated, 0 AP not evaluated).
  Is there a way for me to force the AP to be re-evaluated?
  Thanks
  Khanh

  How are you triggering the Access policy Assignation?
  Hopefully ,if this is governed by the grant and revoke of role, you may first revoke the role for the account which is already revoked and grant the same role again.
  As the previous account was in revoked status, a new account would be provisioned for the DBAT connector. Grant and revoke of role can be done through the SElf Service UI or a custom scheduled task.
  Regards,
  Arvind

• Not able to get the AD organizations list while creating access policy

  Hi All,
  Had created IT Resource for AD server, and was able to successfully connect to it. And Now when I try to create a access policy, where I am not able to view any organization from AD.
  Can someone please let me know how to resolve this.
  Thanks in advance.....
  Regards
  Arun

  Please check the error log which I am getting when I ran the schedule job
  ======= Start Stack Trace =======================>
  <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <com.thortech.xl.schedule.tasks.ADLookupReconTask : performReconciliation>
  <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ]>
  <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <Description : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecu
  rityContext error, data 52e, vece ]>
  <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <com.thortech.xl.exception.ConnectionException: [LDAP: error code 49 - 80090308: LdapErr: D
  SID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ]
  at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.searchResultPageEnum(Unknown Source)
  at com.thortech.xl.schedule.tasks.ADLookupReconTask.performReconciliation(Unknown Source)
  at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Source)
  at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerBaseTask.java:384)
  at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:145)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:196)
  at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
  at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
  >
  <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <================= End Stack Trace =======================>
  Based on which I had checked the credentials I provided, and they are correct. I am able to connect to AD with same credentials when I create new IT Resource.
  Not sure what went wrong
  Regards
  Arun