Another OAM 10g policy evaluation question

Similar Messages

• OAM 10g policy evaluation issue

  I have the policy with following authorization expression: Rule A|Rule B.
  Rule A:
  allowed: all users with o=Org A
  denied: any user
  allow takes precedence: true
  Rule B:
  allowed: all users with o=Org B
  denied: any user
  allow takes precedence: true
  I want the policy to grant access to any user in either of organizations. It does not work for users with o=Org B. Instead access tester shows that Rule A was in effect and authorization is inconclusive. The only way I can make it to work is by removing denial conditions completely: i.e. denied=no one is denied. It does not make sense to me - each rule actually works if not combined with another one.
  Does anybody know whether it is a bug?
  Thanks,
  Alex

  Hi Alex,
  The important thing to remember is that for OR conditions, OAM will stop processing the expression as soon as the user is explicitly referenced (for either Allow or Deny) in a rule, as evaluated from left to right. So if you have an expression:
  RuleA OR RuleB OR RuleC
  and the logged in user is not mentioned in ruleA, but is Allowed in RuleB, then OAM will not process RuleC.
  (With AND conditions, OAM needs to know all of the results, so in the case of an expression:
  RuleX AND RuleY AND RuleZ
  if the user satisfies RuleX, then OAM still needs to process RuleY and RuleZ in order to determine if the user meets the requirements of the expression.)
  In the majority of cases, the way OAM works does boil down to the same as Boolean logic. If, for example, the OR expression above tested that a user is in either GroupA, or GroupB, or GroupC and the user is in GroupA, the only effect of the way that OAM works is that it does not unnecessarily work out if the user is in GroupB or GroupC.
  The two areas which I can see as potentially causing confusion are:
  - when you have an Allow Anyone or Deny Anyone in a rule. In this case, clearly every user is explicitly mentioned in a rule, and processing will stop at this rule as far as OR operations are concerned (as in the example you originally gave).
  - when you want different actions to be performed depending on which rule is applied (so if a user is a member of both GroupA and GroupC, you may have different sets of header variables that need to be applied).
  But generally, if these are not factors, I would expect the same behaviour for more complex relations (such as your "(Rule 1 OR Rule 2) AND (Rule 3 OR Rule 4)" expression) to be the same as for Boolean operations. In this case if a user satisfies Rule1, then it will still evaluate AND (Rule3 OR Rule4), but not Rule2.
  If the above factors really do cause OAM to evaluate undesirable results for you, would it be possible to move the complexity to group membership? For example you could define group membership to be the result of a complex ldap filter, and then define a simple rule (and expression) and associated actions which allows access based on this group.
  Regards,
  Colin

• Pop up warning when creating policy domain in OAM 10g

  Has anyone seen below pop up warning when creating a policy domain in OAM 10g Policy manager?
  Warning:
  This policy domain controls the access to the URI you are currently accessing
  /access/oblix/apps/policyservcenter/bin/policyservcenter.cgi
  Are you sure you want to commit these changes?

  Hi,
  Does Note 842378.1 look like a match for you? Maybe the obcompounddata attribute is missing for some odd reason.
  Regards,
  Colin

• OAM 10g Reset Password Issue in Password Policy Management

  Hi,
  We are using OAM 10g and we have configured password policy for our application with selecting "Change on Reset" Check Box.
  We have created new user in create user identity tab and when we are logging with new user for the first time, it is not redirecting to the reset password page.
  Can someone shed light on this issue?
  Thanks,
  Ganesh

  Hi Colin,
  As you said, We have configured obpasswordchangeflag in Create User Workflow by setting the default value true.
  We have created new user in create user tab and checked in LDAP Browser as it is showing obpasswordchangeflag =true in newly created user's profile.
  Now, when we are trying to login with new user, it is still not redirecting to the Reset Password Page.
  please find below the url which we have configured in Password Policy Change Redirect URL:
  /identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=redirectforchangepwd&login=%loginid%%userid%&backURL=%HostTarget%%RESOURCE%&STLogin=%applySTLogin%&target=top&style=style1
  Can you please help me on this issue?
  Thanks,
  Ganesh

• OAM 10g attribute is not visible in object class in Identity System console

  Hi All,
  This is about OAM 10g environment with OID used as user/config/policy store. There are one custom user object class and custom attributes defined in Identity System console already. Now there is a requirement to add another custom attribute to that already existing custom user object class.
  I have created the attribute in schema through ldap command and I am able to see it in LDAP browser as well. However even after restarting OAM identity server and webpass services, the attribute is not visible in Identity System console -> Common Configuration -> Objectclasses -> Custom object class.
  Appreciate any help. Please treat this as urgent.
  Thanks
  Mahendra.

  The solution is to add the attributes in OVD schema as OVD is the user store.

• IS - Policy evaluation performance

  Hi all,
  I am trying to find out why a policy evaluation takes over a second.
  The request is generated using C API, IS and DS are running on different machines. Don't think there is a networking problem. IS version is 6.1
  My questions are:
  - Are there any tools available to measure the IS response time?
  - Any parameters on the server to be tuned for performance optimization?
  - Any steps I should take to make sure that there is no networking involved?
  - Has anyone done any policy evaluation in Java? - how was the performance? what about the session token validation?
  Thanks in advance for any suggestions.
  Dan

  If your DNS is not working this slows down access to protected resource by the timeout for DNS (per each page request!). The performance impacts are probably about the same for doing a reverse lookup on every request (not great for large numbers of requesters).

• Policy Exceution Questions.

  Hi,
  I have a question regarding policy evaluation.
  1. Policy Evaluation at the end of task sequence.
  Am I correct in thinking that at the end of a OSD task sequence the SCCM client
  will initiate a full policy request (user and machine) as soon as the task sequence
  finishes?
  2. Policy randomizer.
  Also I think there is a policy randomizer so it ensures that policy does not start
  executing at the same time. If so can I get some more details on it. If it does
  come in is there something that I can look in the logs so I know that the
  client and know for example each policy cycle might be at 15 minutes into the hour.
  So I am not sure how these two factors come into play - as I my assumptions might
  be off on this.
  So If I could get a bit of clarification/elaboration.
  Thanks,
  Ward

  #1: yes, but only machine policies (retrieving user policies without a user being logged on does not make sense though, but user policies will be retrieved as soon as a user logs in)
  #2: that does not exist to my knowledge, but there's "deadline randomization":
  http://technet.microsoft.com/en-us/library/gg682067.aspx#BKMK_ComputerAgentDeviceSettings
  Torsten Meringer | http://www.mssccmfaq.de

• Monitoring Tool for OAM 10g

  Hi all,
  I am trying to find all possible ways to monitor a OAM 10g server.. From the documentations I read about SNMP Monitoring.. So I installed the SNMP Agent in the machine where OAM is installed.. And I came to know how to enable SNMP Monitoring in OAM 10g..
  I am drafting my understandings.. please correct me if I am worng;
  - The SNMP Agent that is installed in the OAM machine will gather the monitoring information
  - The Agent will send the information via SNMP to a master application
  If my understanding is correct, these are my questions for which I need your answers; :)
  1. Do I need to install any third party tools like Tivoli or Sun SunNet Manager to which the SNMP Agent will send the information??
  2. My task is to create a custom monitoring application for OAM 10g. Can u please suggest me a best way to do this..
  3. Is there any other way to monitor the Identity and Access Server..
  Thank you :)
  A * R

  The Identity Management Pack for Enterprise Manager provide central Monitoring of most of the IAM component (included OAM) and should provide soon monitoring of all IAM component in version 11g. So if you are looking at a complete solution this is a good way to go.
  http://www.oracle.com/products/middleware/identity-management/management-monitoring.html
  http://www.oracle.com/technology/products/oem/pdf/twp_idm_mgmt.pdf
  hth
  Chris
  Edited by: chris W on Dec 10, 2009 1:38 PM

• OIM 9.1 and OAM 10g integration document

  Hi,
  Could you please provide me any link or document for OIM 9.1.0.2 integration with OAM 10g ?
  Thanks
  Sandy

  Best Practices Document:
  http://download.oracle.com/docs/cd/E14899_01/doc.9102/e14761/oamsso.htm#sthref78
  Within OIM, once you have configured OAM to pass a header variable, it's just 2 parameters that change in the OIM xlconfig.xml file.
  -Kevin

• Creating LDAP filter in authorization rule OAM 10G

  Hi,
  I want to set up a LDAP filter in Authorization rule based on which i will redirect users to specific URL's. what is the syntax to writing LDAP filters in OAM authorization policy. Any pointers to documentation will be appreciated.
  Also i want to know whether authorizations always follow authentication. i.e. my redirection will be successful only after a user is authenticated in end application based on the headers we send out after successful authentication.
  Please Help
  Thanks
  Edited by: 904630 on Dec 27, 2011 5:34 AM
  Edited by: 904630 on Dec 27, 2011 5:36 AM

  Open Identity server console and check the attribute's Display Name and type in Object classes section. I recently faced a similar issue and it got fixed after providing these two values.
  Hope it works for your as well :)

• Configuration of oim 10g and oam 10g.. and integrating oam10g with oid

  Hi..
  i am trying to configure OAM10g and OIM10g and integrate OAM10g with OID..
  please send me the documents if any had...
  Thanks & Regards,
  avinash

  For integrating OIM 10g with OAM 10g, refer doc below:
  http://docs.oracle.com/cd/E14899_01/doc.9102/e14761/oamsso.htm#sthref78
  For OAM and OID integration refer:
  http://docs.oracle.com/cd/E15217_01/index.htm
  regards,
  GP

• OAM 10g reinstall issue

  We're having a problem reinstalling OAM 10g.
  We had an OAM 10g install with config and user data stored in OID. All the OAM components were uninstalled from a testing server, the oblix schema objects, attributes and oblix branch were deleted from OID. The ID server and webpass were reinstalled and the ID server web config step carried out, but after that the ID server will not restart because it can't find an ID. When we look at the new oblix branch in the ldap there isn't much there and specifically the DBAgents entry is missing.
  The suggestions for the error all point to it being that this isn't the first ID server to be installed in the ldap. We've uninstalled the first one and tried to remove everything from the ldap. Can anyone suggest what we may have left behind in the ldap because something is retaining a reference to the previous install.
  Thanks for any help.

  If a component installation terminates (or is terminated by you) after component files were extracted to the designated installation directory, you should run the Uninstaller for that component and then remove the installation directory before attempting to reinstall in the same location.
  If you simply delete the installation directory and attempt to reinstall the component in the same location, the vpd.properties file is left in an inconsistent state and reinstalling will not work.
  For example, suppose you terminate a WebGate installation after component files were extracted, then you remove the installation directory manually rather than using the WebGate uninstaller.
  In this case, the extracted files are deleted but the vpd.properties file is not. This leaves the vpd.properties file in an inconsistent state that prevents successful installation.
  Reinstalling Oracle Access Manager with Oracle Internet Directory
  If Oracle Access Manager will be removed and reinstalled with the same directory instance, only the Oracle Access Manager configuration tree(s) need be deleted.
  In this case, there is no need to remove the Oracle Access Manager schema from the directory instance.
  When reinstalling the Identity Server, select "No" when asked if you want to update the schema (which is already present). Selecting "Yes" results in an an error message "schema already exists".
  You remove the Oracle Access Manager configuration tree from the directory server instance using tools and instructions from your directory vendor.
  For Oracle Internet Directory, for example, you may use the Oracle Internet Directory Administration Console.
  However, you cannot simply delete the parent object because there are dependencies and recursive deletes are not possible.
  Oracle recommends that you do not remove the Oracle Access Manager schema from Oracle Internet Directory using the Console.
  Instead, Oracle recommends that you use the LDIF files in Component_install_dir\identity\access\oblix\data.ldap\common. For example:
  OID_oblix_schema_index_delete.ldif : Oracle Access Manager attrbitue index cleanup file drops the Oracle Access Manager indexes before or after you clean up the schema.
  OID_user_schema_delete.ldif—Oracle Access Manager user data cleanup file for Oracle Internet Directory—removes user data that resides on a separate directory instance from configuration data
  OID_oblix_schema_delete.ldif—Oracle Access Manager configuration data cleanup file for Oracle Internet Directory—removes both user and configuration data when both reside on the same directory instance
  When user data and configuration data reside in the same directory instance, only the OID_oblix_schema_delete.ldif needs to be used with the because it will also remove the user schema objects.
  However, when a separate directory instance hosts only user data the OID_user_schema_delete.ldif should be used. In either case, however, you must use the OID_oblix_schema_delete.ldif to remove the attribute index.
  For steps, see Chapter 20, "Removing Oracle Access Manager".

• Order for resources in OAM authorization policy

  Hi All
  Does the order for the resources in OAM authorization policy matters or can I put the resources in any order ?
  Thanks

  OAM performs resource Authentication and Authorization based on the URLs. It doesn't matter on what order you try to put them.
  ~Yagnesh

• URGENT: OAM 10g server and webgate certificates query

  Hi experts,
  There is an OAM 10g environment. OAM Access Server and Identity Server is installed and up and running. OAM servers are in CERT mode. So to install webgates residing in different machines from OAM servers, can we use the same OAM Access Server certificates for WebGate certificate while installing WebGate?
  Thanks
  IDM Team.
  Edited by: 898990 on Mar 13, 2013 1:38 PM

  Figured it out. The OAM proxy (AccessServerConfigProxy @port 5575) for 10g webgates was configured to listen in cert mode. I had to switch it to open mode. Not sure how it got switched, but got the webgate install going for now. Thanks.

• OAM 10g - obmygroups and nested dynamic groups

  I've run into an issue with the obmygroups header action in OAM 10g, and I'm not sure whether this is by design or not.
  The obmygroups will return static and dynamic group names for which the user is a member, and it will return static groups that contain nested static groups where the user is a member of the nested group. However, it doesn't seem to static groups with nested dynamic groups where the user is a member of the nested dynamic group.
  Is that by design? Is there any way to nest dynamic groups so that obmygroups will return the parent group name? I'd like to have a group that contains both nested static and nested dynamic groups, and have the obmygroups action return the name of the parent group.
  Thanks,
  Matt

  Return Attribute Action in authentication or authorization rules
  obmygroups:<ldap_url> special attribute returns those groups to which the user belongs that also satisfy the criteria <ldap_url> filter specifies.
  EX: "obmygroups:ldap:///cn=Groups,dc=myorg,dc=com??sub(group_type=role) returns all the groups in cn=Groups,dc=myorg,dc=com tree for which the logged-in user is a member and the group_type is role.
  For more information check OAM Access Administration Guide