AD/OID Group Membership Integration

I have Oracle DIP/SSO and Zero Sign-on working. My client wants to grant a role to a user in AD and then that correspondingly grants the same user in OID a database role.
I have read in an oracle whitepaper (Using Oracle with Microsoft Active Directory) that using Oracle DIP a change in user group member in AD can result in a corresponding change in group membership in the Oracle environment.
Has anyone done this? Can you point me in the right direction?

In order to do this you update the group in the AD. This is done by using the groups or user icon and add an user to a specific group.
The synchronization profile in the OID/DIP will usually take care of this.
cu
Andreas

Similar Messages

  • Child form for Group Membership OID -OIM 11g

    Hi,
    Can we configure a custom child form to store OID group membership in OIM 11g? If Yes, what are the configuration changes to be considered.
    Thanks in advance

    Hi,
    Can we configure a custom child form to store OID group membership in OIM 11g? If Yes, what are the configuration changes to be considered.
    Thanks in advance

  • OIM 10G OID user account / group membership reconciliation

    Hello
    I have an OID environment that is used for OAM access to applications within the environment. I need to be able to reconcile users from OID into OIM along with their group membership so that roles for users are maintained and updated. I have ORM integrated within the environment so entitlements would need to flow to orm to document that users are members of a role / OIM group. Not sure if this is possible through the trusted reconciliation or if there is a user / group target reconciliation that can be used for this. Any help you can give for this would be appreciated.
    Thanks

    When i use ADCS timestamp as 0 (to capture changes from the beginning and not necessarily after the group change event occured on the AD side) and run AD user target recon this is getting updated. Is this correct and if so how can i always default ADCS timestamp as 0 in the scheduled task and are there any side effects for this sort of approach.
    Prasad.
    Edited by: Prasad on Nov 7, 2011 12:31 PM

  • OIM-OID Provisioning - OID Group PrePopulate Approach :

    Hi,
    I am working on OID Connector 9.0.1.14 with OIM 11.1.1.5.
    I have reconciled all the Roles and Groups from OID to OIM and can successfully provision users to the OID along with membership to these specific Roles and Groups.
    I want to prepopulate the OID Group based on certain attribute from the OIM User form. My Approach so far is :
    1) Created an Entity Adapter with a variable : say Org and GroupName.
    2) Set the Logic as if Org = XYZ (+XYZ does exist on OIM+) set GroupName as = "OID Group 1" else set GroupName as = "OID Group 2"
    3) Attached this adapter to the "OID User Group" form on the "Data Object Manager" at the pre-insert stage.
    4) Mapped the Adapter variable as :
    a) Org Maps to "Organization Definition" with the qualifier "Organization Name"
    b) GroupName maps to the "Entity Field" with the qualifier "UD_OID_GRP_GROUP_NAME"
    However nothing seems to happen when I create/modify a user with Orgization Name as XYZ and manually Provision the OID Resource. I can see the form but nothing is populated in the Group Field. Upon completing the request, I get the user provisioned to OID but without any Group information..
    Is my approach right ? Am I missing something ?

    Here is what I have done for a client. My requirement was for a given department, a user must have a list of groups provisioned to them. So here is what i've done:
    1. Create a lookup that has Code Key = Department, Decode = CN of the groups in a delimited format.
    2. Create a provisioning task that will look at the department code from the user form, reference the lookup and find the decode values. Split them based on a delimiter. Then using each value, lookup the code key value from the real lookup that contains the full distinguished name of the group in the OID Group lookup. I even appened the IT Resource Key and ~ so that my search would be Decode or Code = "IT Resource Name~CN=<CN VALUE>%". This would return only the single group code key value. And then i add it to the child table. Repeat this for all the values in the delimited field.
    3. Create a provisioning task that removes the values from the child table based on the delimited value. You'll need to search through the existing child table values.
    Once you have the 2 tasks, you'll want to add a value to the your Lookup.USR_PROCESS_TRIGGERS that is your group determining field. Create your task name in this lookup. On your provisioning workflow, for the Adding of the groups task, make this unconditional, and have a preceding task of the Create User. Give it the name from your Lookup.USR_PROCESS_TRIGGERS and append " - Add Groups" to the task name. Create another task called the same, but append " - Delete Groups" to the task name. On the Add Groups task, make the preceding task the Delete groups. When you map your inputs to the adapters, on the delete, select the old value check box from the User Form so that you get the old value. Now, when the value changes on the user form, it will first remove the old groups, then add the new ones. All this will be done using the child table APIs, so that the existing Insert and Delete task triggers for your child table will run.
    -Kevin

  • OBIEE only getting limited number of group membership records

    Hey everyone,
    I'm seeing some strange behavior with the group membership functionality of OBIEE. Right now we're on version 10.1.3.2 and we've implemented SSO and we setup a query against LDAP (AD) to get user group information similar to the way Venkat's blog demonstrates:
    http://oraclebizint.wordpress.com/2007/10/12/oracle-bi-ee-101332-and-oid-user-and-group-phase-2/
    At first glance, everything was working smoothly, however, on second glance, I noticed that on users who were part of lots of groups (i.e. 80 groups), not all of their membership information was getting into OBIEE. On my test user, who was part of only 10 groups, I ran a test in which I only gave access to the Answers module to a person from the 10th group. When I logged into OBIEE as my test user, I was able to access answers.
    On my second test user, who had 80 groups, I set access to answers for the 75th and 80th groups (both different tests). Neither test allowed this user to access answers. However, when I choose the 5th group returned, the user was quickly able to see and access answers.
    When I test out the call to the Oracle function in the Admin tool, I see all the groups returned there.
    These strange results lead me to believe that there is only so many group membership records that OBIEE can receive. Is that true? Has anyone seen this before? Did I forget to set something appropriately?
    Thanks everyone for your help!
    -Joe

    Hey,
    Sorry about the delay in getting back to you, I was slammed with some work right before the Holiday. Anyway, below is the sample code and an example of it's usage. be sure to replace the <BASE DN>, <LDAP HOST>. <LDAP USER>, and <LDAP PASSWORD> with the appropriate values for your situation.
    Also, you'll need to create the "ARRAY" datatype like in Venkat's blog.
    Best of luck!
    -Joe
    select * from table(getusergroup(‘Jbertram’));
    create or replace FUNCTION GETUSERGROUP(Username in Varchar2) RETURN ARRAY PIPELINED AS
    -- Adjust as necessary.
    l_retval pls_integer;
    l_session dbms_ldap.session;
    l_attrs dbms_ldap.string_collection;
    l_message dbms_ldap.message;
    l_entry dbms_ldap.message;
    l_attr_name varchar2(256);
    l_ber_element dbms_ldap.ber_element;
    l_vals dbms_ldap.string_collection;
    l_raw dbms_ldap.binval_collection;
    l_ldap_base varchar2(256) := '<BASE DN>';
    l_filter varchar2(100) := '(&(cn='||Username||'))';
    l_ldap_host varchar2(100) := '<LDAP HOST>';
    l_ldap_port number := 389;
    l_ldap_user varchar2(100) := '<LDAP USER>';
    l_ldap_passwd varchar2(100):= '<LDAP PASSWORD>';
    l_result varchar2(100);
    begin
    -- Choose to raise exceptions.
    dbms_ldap.use_exception := true;
    dbms_ldap.utf8_conversion := false;
    -- Connect to the LDAP server.
    l_session := dbms_ldap.init(hostname => l_ldap_host, portnum => l_ldap_port);
    l_retval := dbms_ldap.simple_bind_s(ld => l_session, dn => l_ldap_user, passwd => l_ldap_passwd);
    -- Get all attributes
    l_attrs(1) := 'memberOf'; -- retrieve all attributes
    --l_attrs(2) := 'cn';
    l_retval := dbms_ldap.search_s(ld => l_session
    ,base => l_ldap_base
    ,scope => dbms_ldap.scope_subtree
    ,filter => l_filter
    ,attrs => l_attrs
    ,attronly => 0
    ,res => l_message);
    if dbms_ldap.count_entries(ld => l_session, msg => l_message) > 0
    then
    -- Get all the entries returned by our search.
    l_entry := dbms_ldap.first_entry(ld => l_session, msg => l_message);
    <<entry_loop>>
    while l_entry is not null
    loop
    -- Get all the attributes for this entry.
    dbms_output.put_line('---------------------------------------');
    l_attr_name := dbms_ldap.first_attribute(ld => l_session
    ,ldapentry => l_entry
    ,ber_elem => l_ber_element);
    <<attributes_loop>>
    while l_attr_name is not null
    loop
    -- Get all the values for this attribute.
    l_vals := dbms_ldap.get_values(ld => l_session, ldapentry => l_entry, attr => l_attr_name);
    <<values_loop>>
    for i in l_vals.first .. l_vals.last
    loop
    dbms_output.put_line(substr(l_vals(i),4,instr(l_vals(i),',')-4));
    PIPE ROW(substr(l_vals(i),4,instr(l_vals(i),',')-4));
    end loop values_loop;
    l_attr_name := dbms_ldap.next_attribute(ld => l_session
    ,ldapentry => l_entry
    ,ber_elem => l_ber_element);
    end loop attibutes_loop;
    l_entry := dbms_ldap.next_entry(ld => l_session, msg => l_entry);
    end loop entry_loop;
    end if;
    -- Disconnect from the LDAP server.
    l_retval := dbms_ldap.unbind_s(ld => l_session);
    --dbms_output.put_line('L_RETVAL: ' || l_retval);
    end;

  • Migrating OID groups to OIM

    We have been given the task of migrating our existing identity management systems to OIM (Oracle Identity Manager).
    Part of our existing system uses OID (Oracle Internet Directory). All users have an entry in OID. Some of our systems use OID for authentication.
    We also use OID to hold users' entitlements/privileges that control access to our applications. We use OID groups (represented by entries based on groupOfUniqueNames and orclGroup objects) to do this. For example we might have an application called 'Finance' with three levels of access represented by OID groups e.g. 'finance_enquiry', 'finance_updater', 'finance_superuser'. Those groups would all belong to a parent group called 'finance_application'. To access the application the user needs to be a member of 'finance_application' group or one of its child groups. Access to features of the application are controlled by membership of the 3 child groups. We have an application that maintains groups, group membership, and user entitlements in OID.
    As part of the migration project we want to move maintenance of groups and group membership from our own application into OIM. The above scenario seems quite basic.
    My main question is how would this be done in OIM? Do our current OID groups become OIM Groups? Do they become entries in some lookup table in OIM? Are there any case studies or other documentation that describes this kind of requirement?
    I've looked at the OIM Connector for OID documentation but it doesn't describe typical scenarios. It assumes that you know what you are doing.
    We also want to give users the ability to request entitlements, and to provide an approval process. So we could have a user who approves/rejects entitlement requests to access to the applications they control. But that's a another topic.
    Cheers,
    Eric

    PeachEye wrote:
    We have been given the task of migrating our existing identity management systems to OIM (Oracle Identity Manager).
    As part of the migration project we want to move maintenance of groups and group membership from our own application into OIM. The above > scenario seems quite basic.You're about to find out otherwise.
    >
    My main question is how would this be done in OIM? Do our current OID groups become OIM Groups? Do they become entries in some lookup table > in OIM? Are there any case studies or other documentation that describes this kind of requirement?You'll need a custom connector and lots of OIM tweaks. Your groups will stay in OID, OIM will replace the current application you use to maintain them. That's one way of doing it, no impact to OID schema is the benefit of this way, there are other ways.

  • Pre-Populate group membership details while provision

    Hi,
    We are using AD Connector 9.1.0.1 to provision OIM user to ADAM.
    While provision I need to pre-populate group membership details of user like other user attributes.
    Is it possible to do this using pre-populate adapter; if so then please provide us details to do this or is there any other approach to achieve this?
    -Hardew

    Can you explain the FormInstanceOpsIntf piece in a little more detail? I'm having a similar issue as the other two posters above, except mine is with OID.
    1) So focusing first on just creating the adapter...
    a. Create a new adapter of type Entity.
    b. Create the adapter variables here???
    -> Three variables of type long, and one of type object???
    c. Add an adapter task
    -> Type: Utility Task -> Oracle Identity Manager Api
    -> New Object Instance
    -> Task Name: <not important>
    ??? (is this correct) -> Application API - Thor.API.Operations.tcFormInstanceOperationsIntf
    ??? (is this correct) -> Methods - 17. public abstract long Thor.API.Operations.tcFormInstanceOperationsIntf.addProcessFormChildData(long,long,java.util.Map)
    d. Complete the Parameter Data Mapping
    -> Input: long - ??? (what to map here?)
    -> Output: long - ??? (what to map here?)
    -> Input: long - ??? (what to map here?)
    -> Input: java.util.Map - ??? (what to map here?)
    2) After the adapter is created, I will look up the "OID User" form in the Data Object Manager, and add the adapter I created under "Post-Insert".
    Thanks!

  • OIM-OID Connector: OID Group Recon Task and organizations

    Hi,
    I'm evaluating OIM and its OID Connector.
    We have groups in our existing OID. We thought that we could use the OID Connector OID Group Recon Task to import those groups into OIM and make them Groups in OIM.
    However, when we run the task, it appears to import our groups from OID as organizations, not as groups. It's not clear to me from the OID Connector documentation what exactly the OID Group Recon task is supposed to do. That's why we assumed it was an OOTB method for reconciling OID groups into OIM groups.
    What are we doing wrong? Why do we end up with our OID Groups becoming OIM Organizations after running the task?
    We are using version 9.4.11 of the OID Connector.
    Also, a side issue: how can we delete unwanted organizations from OIM? There's a delete option but it just seems to mark the organizations as deleted but they are still there.
    Thanks
    Eric
    Edited by: PeachEye on 17/03/2010 11:49

    Hi,
    I am also facing the similar issue. I want to reconcile OID groups into OIM User Groups menu item. Please suggest how to proceed.
    I ran the schedule task- OID Group Recon Task, but it throws error-
    ERROR,12 Mar 2010 09:16:44,265,[XL_INTG.OID],OID:tcTskOIDGrouporRoleReconTask:pe
    rformReconciliation():com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:
    NamingException :Unable to search LDAP. Check the following values and try agai
    n: Base Search detail: cn=abc,ou=Q System1,dc=xoserve-apps,dc=com, filter expres
    sion is (&(objectClass=groupOfUniqueNames)(modifytimestamp>=19000101010001Z)), A
    ttributes : DN, modifytimestamp, Organization Name, orclguid, cn,]
    ERROR,12 Mar 2010 09:16:44,281,[XL_INTG.OID],===================================
    I want to bring OID groups into OIM so that I can manager those OID groups from OIM. Is there any other way to so this? I have to make changes in the OID object class or in the OID field mappings? I have not done any changes in Lookup OID configuration or LookUp Field map parameters.
    Please help.

  • OIM-OID! provisioning users to OID groups-QUICK HELP NEEDED

    hi,
    I've installed OIM connected to OID.
    I've been assign some tasks:
    1) Creating access policy such that when a user is created in OIM, he is provisioned to two groups in OID.... ie. in cn=users and cn=employees (where cn=employess is the group i create under cn=Groups,dc=ad,dc=company,dc=com)
    2)Creating an access policy such that when a user is created in OIM, he is provisioned to two additional groups in OID, say I've created two custom groups in OIM and attached membership rules to them. Now when i create a user satisfying the two membership rule,he is assigned to those two OIM groups and provisioned to cn=users,dc=ad,dc=company,dc=com and cn=group1,cn=Groups,dc=ad,dc=company,dc=com and cn=group2,dc=ad,dc=company,dc=com.
    Also i want to populate those OID groups into a child table and create their lookups in Process form
    Please help me materialise and understand these concepts.
    The OID Lookup Recon task for group is running fine, lookup.oid.group is populated with values.
    how those groups can be populated in process form child table(OID user group table).
    Edited by: Chhavi Saluja on Feb 12, 2010 12:51 AM

    As mentioned in my other post you can put these groups in access policy form and all the users assigned by this policy will get these groups. Any issue revert back.

  • ACS 5.3 Group Mapping based on AD group membership

    Hi,
    I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
    What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
    It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
    I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
    Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
    Thank you,
    Sami

    Ok, my case is like this.
    I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
    I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
    In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
    Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
    I have a case with Cisco engineer now and still in the middle to sort things out.
    The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
    Wondering whether there is a fix for this.
    Thanks.

  • Weblogic 10.3.0 -  Security Violation when Group Membership Lookup enabled

    Dear Admins,
    We're running a Weblogic 10.3.0 cluster with our own software deployed.
    We're using SQL authentication (JDBC to Oracle DB) to authenticate users.
    Recently we've been tuning our WL cluster to improve performance, and have enabled Group Membership Lookup Hierarchy Caching.
    Sometimes users log into our application and get inssuficient rights (or some other error). This appears to happen at random. Most of the times they can log in without problems.
    We determined it's not something to do with the cluster, although it can happen on one node and the other node will work as normal.
    In the Managed server we see this error (with test user):
    Managed7Server.out00011:java.rmi.AccessException: [EJB:010160]Security Violation: User: 'test' has insufficient permission to access EJB: type=<ejb>, application=leanapps, module=process_general.jar, ejb=LaLifeProcessController,
    method=create, methodInterface=Home, signature={}.
    When we disable Group Membership Lookup Hierarchy Caching, this error never occurs.
    Our settings (Security Realms -> myrealm -> Providers -> SQL Authenticator -> Performance):
    Max Group Hierarchies In Cache: 5000 (we have approx. 2000 groups)
    Group Hierarchy Cache TTL: 3600
    provider specific settings :
    Group Membership Searching: unlimited
    Max Group Membership Search Level: 0
    Also in Myrealm -> Performance we have set :
    Enable WebLogic Principal Validator Cache
    Max WebLogic Principals In Cache: 5000
    If we put the TTL really low (default 60 seconds), the error hardly ever occurs. But we want to have cache that lasts longer then one minute.
    This might be a bug, as we have other clusters running on WL 10.3.5, 12c where we use the same cache settings. This issue does not occur there.
    I'm more then willing to provide more info or config files
    Edited by: user5974192 on 21-nov-2012 5:17

    This is fixed now. Someone had defined a Servlet for the web service in web.xml that was preventing the EJB container to kick in.
    Edited by: user572625 on Aug 25, 2011 11:54 PM

  • OIM: What is the purpose of "Update" while editing group memberships

    Hi,
    This is when you lookup a user's Resource Profile and go to "Edit" link. The process form shows up along with a drop down to edit the group memberships. When we select one of the choices such as "Groups" another window pops up where we could add more entires into the child form. In this form there is an "Update" column with a radio button besides a "Remove" column. What is the purpose of this "Update" column? We can add or delete child entries but what does update do? Is there a way to remove this selection altogether?
    Thanks in advance

    Update I can see used for a cases where you have multiple columns on a child table entry and want to change one of them. Strictly speaking, you can update a single column child table rather than delete and insert also. Access policies always do insert and delete actions, but you will want to implement an update task as well if you expect anyone to be editing child tables on resources directly.

  • OIM 9.1.0.2 Group Membership Removal for Disabled Users

    Hello
    In OIM 9.1.0.2, when a user is disabled, they are removed from the groups they are a member of within 24 hours. i was wondering if this is a set time and if so, can this be extended to a specified time so membership can be left for a week before it is removed from the user. If you can let me know on this I would appreciate it.
    Thanks
    Nick

    Today, when accounts are disabled, within 24 hours all the group memberships are removed on the OIM side. I would like to change the interval for the cleanup so that when an account is disabled, all the existing group (role) memberships stay assinged to the account then after 30 days of the account being disabled, the group (role) memberships are removed. Not sure if this would be an ORM thing or OIM, but I think it would be OIM since ORM still has the role mappings for users when they are disabled.
    Thanks
    Nick

  • Error while provisioning to OID group

    Hi,
    we created 2 groups in OID. we ran OID group lookup Reconciliation task and now we are able to see the created Groups in Lookup.OID.Group.
    we added the Groups in access policy. but when we are Provisioning Users into OID the Add User to Group task is getting rejected with *"Group Doesn't Exist Error message"*..pleasse help
    Thank you

    Can you check whether Groups still exists in OID ?
    Just Enable the logs for OID connector only and paste the logs here.

  • Users not provisioned from OIM to OID groups

    I've created an Access policy such that when i create a user with role as consultant he is automatically provisioned to OID resource and OID group( cn=group1,cn=groups,dc=ad,dc=company,dc=com ).
    The user is provisioned to OID users(cn=users) but not to cn=group1,cn=group....
    What could be wrong?
    i have run the OID group lookup tasks to generate freshly added group lookups. Theses lookups are populated in process form when i create an access policy.
    For ex the lookup generated is cn=group1,cn=group,dc=ad,dc=company,dc=com and the decode value is group1
    The user profile and process form are not linked. That means changes in process form are not reflected to user profile. Can this be possible reason for the hassle defined above
    please help me resolve this issue.
    Edited by: Chhavi Saluja on Feb 15, 2010 1:30 AM

    Hi,
    Today I have also done the same thing of auto provisioning of OID through access policy. Only difference is that for selecting "Container DN" and "User group" we have created two user defined fields(lookup)in the user form which will refer to the lookups "Lookup.OID.Organization" and "Lookup.OID.Group" for inputs.These lookups are already reconciled once from OID.
    As far as "container DN" iam successful but while selecting "user group" iam able to select and when i click on "create user" user is getting provisioned to OID into Container DN i specified.But user is not going into that particular group i specified.Iam assuming the reason is that as User Group is a mutivalued attribute and if we observe the process form of group selection we will see the add button. But on user form we dont have the option of child form to ADD/REMOVE the groups.
    Someone pls suggest how to proceed further on this.How do i push the user into particular group/groups from the create user form itself?

Maybe you are looking for

  • Apple brand VGA connector

    I purchased an Apple brand VGA connector for my iPad2.  When I plug it into the iPad the message that it is an unsupported part pops up on the screen?  Why is this when it is an Apple brand VGA connector/adapter?

  • Conditionally display button based on number of rows in rpt query results?

    I know that I can conditionally display a button based on the number of rows returned in a query entered in the condition. However, I have a report region button that I only want to display if any data was returned by a report query. Since I've alrea

  • Converting from finished products non-batch to batch management

    Hi guys, Can you tell what is the best strategy to convert a system from non-batch managed to batch managed for the finished and salable product? Batch management should have been implemented from the start, but my client just realized that mistake.

  • Error in IDOC message to be sent to user's inbox

    Hi all, I am new to abap development. I have a scenario in which SBI invoice is generated using GSVERF std Idoc. If there is any discrepancy b/w the Idoc qty and the SAP qty the Idoc should fail and a message should be sent to the user's inbox. Can a

  • Why 512mb and not 1

    Why will my computer only recognize the Zen Nano Plus 52mb mp3 player and not the gig model? Have tried everything. Even updating the firmware on the gig, but it never becomes recognized properly. Anyone?