Configuring Access Control with OIM 11gR2

Similar Messages

• Configuring ACF2 connector with OIM 11gR2

  Hi Experts,
  I am working on configuring ACF2 connector with OIM 11gr2, In an intermediatory step we need to copy VOYAGER_ID.properties file. The comment against this file is written as: Rename VOYAGER_ID with the name "Voyager server's VOYAGER_ID control file property".
  Can anybody please tell what does this actually mean?
  thanks

  Rename the copied file to match the VOYAGER_ID property. For example, if the target system has VOYAGER_ID = VOYAGE14, then the .properties file should be named VOYAGE14.properties.
  The Voyager reconciliation agent sends a unique identifier value, called VOYAGER_ID, each time a reconciliation event occurs. This value must match the name of the .properties file being used by the topsecret-adv-agent-recon.jar file for reconciliation.

• Configuring exchange connector in OIM 11gR2

  Hi Experts,
  I have to configure exchange connector with OIM 11gR2. I went through the connector guide and there they have mentioned about custom powershell script. Please let know from where I can get this script and the use of it. If any one is having sample script then please share it with me.
  Regards,
  Bhawna.

  Connetcor version is 11.1.1.6.0
  Also in doc it was mentioned to create a .bat file on OIM server to call this power shell script on connector server.

• Organization Admin control in OIM 11gR2

  Hi,
  I was trying to configure Organization Admin control in OIM 11gR2. Our requirement is to configure roles having read access of organization (members of this role can only see the members of the organization but cannot update it), roles having admin control on organization (where members of this roles can read/write/execute member access). There should be different set of roles having access on different organization where members from one role cannot access the members of the other organization. I tried to configure these security models but the only thing i could find in organization is Admin Roles which also i couldn't able to configure very well :(. Can someone point me to the correct documentation or procedure/tool which we should use to achieve such functionality (These functionalities are very easily available in OIM 10g but couldn't find in 11gR2 :( )

  If you add the members of a role to the Admin Roles of a given Organization (Specifically OrclOIMOrgViewer Admin Role). The users will be able to see the users in that organization.
  A few things to consider:
  Only xelsysadm or a users in the System Administrator Admin Role can assign users to Admin Roles within the scope of an Organization.
  Here is a piece of code that you can use to programmatically add users to the Admin Role OrclOIMOrgViewer:
  public List getScopedAdminRoleMemberships() {   // This one gets the list of all admin roles scoped by Organization
  Hashtable env = new Hashtable();
  env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,"weblogic.jndi.WLInitialContextFactory");
  env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://<oim server host>:<oim port>");
  OIMClient oimClient = new OIMClient(env);
  try {
  oimClient.login("xelsysadm", "<XELSYSADM Password>".toCharArray());
  } catch (LoginException e) {
  throw new RuntimeException(e.getMessage(), e);
  AdminRoleService adminRoleSvc = oimClient.getService(AdminRoleService.class);
  return adminRoleSvc.getScopedAdminRoles();
  public AdminRoleMembership addAdminRoleMembershipFor(String userId, AdminRole role, String scopeId) {  // This method adds the user identified by userId (pass usr_key not usr_login) to the Admin Role in Org whose key (act_key) is
  // passed as a parameter in the scopeId.
  AdminRoleMembership membership = new AdminRoleMembership();
  membership.setAdminRole(role);
  membership.setUserId(userId);
  membership.setScopeId(scopeId);
  Hashtable env = new Hashtable();
  env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,"weblogic.jndi.WLInitialContextFactory");
  env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, "t3://<oim server host>:<oim port>");
  OIMClient oimClient = new OIMClient(env);
  try {
  oimClient.login("xelsysadm", "<XELSYSADM Password>".toCharArray());
  } catch (LoginException e) {
  throw new RuntimeException(e.getMessage(), e);
  AdminRoleService adminRoleSvc = oimClient.getService(AdminRoleService.class);
  return adminRoleSvc.addAdminRoleMembership(membership);
  This should give you what you need. Remember, the API's work with act_key and usr_key values don't use Org Names or User Logins.
  Hope this helps.
  Regards
  Alex Lopez

• Is it possible to delete an Access Policy on OIM 11gR2?

  Hello,
  Is it possible to delete an Access Policy on OIM 11gR2?
  I have created an Access Policy and associated it with a Role.
  But now, due to changes, this Role should not trigger an Access Policy anymore.
  I haven't found a way to disassociate the Access Policy from the Role neither a way to delete the unnecessary Access Policy.
  Thanks,
  Adriano.

  Hi,
  As far as I know, deleting an access policy is not possible. One solution would be you can create a dummy role which you will never use and remove your existing role from the access policy and assign this dummy role to the policy and save it. That should stop the auto triggering.
  Thanks,
  $id

• Configure Access Control Owner screen

  Hi All,
  I am working on SAP GRC project and it's very new to me. I have one user and that user has Access control owners screen.
  This role displaying all the Central Owner in the table. When I click one role than Open button gets activated. When i click open button it's navigating to Owner assignment screen in Central Owner Administration. In here i am having two doubts,
  1. Is this possible to create duplicate screen of Owner assignment screen
  2. If possible how to configure that in Access Control Owners screen.
  Your valuable answers will be appreciated.
  Thanks in advance.
  Regards,
  Kathiresan R

  Hi Kathiresan,
  its not possible for creating duplicate entries for one user with similar owner administration in Access Control Owners tab.
  and it is possible, for one user we can able to assign multiple responsibilities.
  Once we are in to Access control Owners screen
  -> select the user id which you want assign additional responsibility like Risk Owner, MC owner and FF role owner etc.
  -->Click on open button and select multiple responsibilities and save the data.
  And make sure that user should have the required roles before assigning the responsibilities in access control owners.
  Thanks,
  Siva

• VDI Access Control with ISE

  Hi Guys,
  Can ISE do the Access Control for the VDI users with thinclients like PCs? Now we wanna to setup the 802.1x authentication for the VDI users, but i'm not sure if this can be done by ISE. Do we just need to configure the access switch ports to open 802.1x as usual and the switch then will relay the radius to ISE?

  Rodrigo,
  You are right if it is using the same IP+MAC, then I don't think the identity-based firewall feature of the ASA will work for you unless you can set the Citrix VDI to use DHCP to give a unique IP for each desktop.
  This is how it worked with vmware::
  1. Single VDI pool with a unique IP for each desktop assigned by DHCP on the same subnet.
  2. User logs in to floating desktop and Windows login server is updated with username and IP
  3. Cisco Directory Agent (CDA) gets the username/IP mapping from Windows login server.
  4. Cisco ASA is configured to allow access based on Windows AD group X.
  5. ASA gets username/IP mapping from CDA and checks AD directly for group assignment.
  6. ASA enforces access policy on the IP that is currently used by the user of group X. Users of groups Y and Z would have different policies.
  NOTE: Anyconnect is not used with identity-based firewall for Windows devices. If used for 802.1x (wired or wireless) or any other supplicant, it does allow Identity-based firewall to work with non-windows devices. If Cisco would only enhance RA VPN to work when using ISE authentication with windows domain detection or assignment, it would be a complete identity-based solution. RA VPN can work if authenticating directly with AD.

• SAP Business Objects Access control with BI4.1 and enterprise authetication

  Hi Team,
  We are on BI 4.1 with enterprise authentication. We are using IDM (oracle waveset 8) for access management. Currently we receive request from IDM and we manually configure user in BI4.1. We are now planning to automate this process, like as soon as user request place request through IDM , his access wil lget configure in BI 4.1
  can we achieve this using SAP Business Objects Access controle or with any other method ? Need your guidance
  Thanks,
  Nivedita

  Hi Andrea,
  1. you configure the BOE Server with the SAP authentication for your SAP server
  1b you configure trust between the portal server and the SAP system
  2. you import the portal iView template as part of the SAP Kit into the portal server
  3. you create a new system (or use an existing one) in the portal system landscape and configure the properties of the Crystal Enterprise properties
  4. you create a new iView based on the portal iView template
  ingo
  I have some difficulties to create a new system, I don't know witch option i should choose.
       System (from template)     
       +BI JDBC System
       BI ODBO-Compliant OLAP System
       BI SAP Query System
       BI XMLA-Compliant OLAP System
       EP 5.0 System
       HTTP System
       JDBC System
       KM Lotus System
       KM WebDAV System
       KM Windows System
       SAP system using connection string
       SAP system using dedicated application server
       SAP system with load balancing
       Web Service System using WSDL URL+
       System (from PAR)
       com.sap.km.cm.repository.manager
       com.sap.km.common.domino
       com.sap.netweaver.coll.appl.gw
       com.sap.netweaver.coll.appl.sync
       com.sap.portal.httpconnectivity.urlsystem
       com.sap.portal.ivs.sl.connector.helper
       com.sap.portal.runtime.application.soap
       com.sap.portal.systems.bi
       com.sap.portal.systems.datasource
       com.sap.portal.systems.EP5
       com.sap.portal.systems.jdbc
       com.sap.portal.systems.sap
       com.sap.portal.systems.webservices
       com.sap.portal.unification50.template
  Thanks a lot
  Selvam

• Problem handling SMTP address with OIM 11gR2 Exchange connector

  Hello,
  I have a problem in regarding the primary SMTP address with the Exchange connector. The connector doesn't seem to be able to update it. Changing a user's primary SMTP address from its account details in OIM creates a new secondary address in Exchange. It does not change the current primary SMTP address. This does not look like a normal behavior... Any ideas on how to fix this?
  I'm using OIM 11gR2 with BP10 with AD 11.1.1.5.0A and Exchange 11.1.1.5.0.
  Thanks,
  --jtellier

  Yes, you can try out few things suggested in below thread
  Re: Exchange Provisioning
  The error looks like form exchange server side but still not sure about it.
  Meantime open Service Request with oracle about the same as I can see other developers are also facing same issue.

• Access Control with Custom Groups

  I am rather new to APEX. I am trying to implement access control/authorization using custom groups (not the built-in View, Edit, and Administrator groups). I did search the discussion forums and the web in general but so far I have come up empty. I was hoping someone could point me into the right direction as to how to get started. Are there stored procedures that need to be customized/implemented? Where do I store the user groups? Can I use the built-in tables or should I create custom security group tables? Those are just some of the questions I am trying to figure out and any help would be much appreciated.
  And BTW, due to client requirements, we are currently using version 3.2. Not sure if there are any significant changes between that version and the latest version.
  Thank you all!
  Mischa

  Custom authentication is fairly easy to set up with your own tables, here is an example
  http://djmein.blogspot.com.au/2007/07/custom-authentication-authorisation.html
  This leads on to authorisation, again using your own tables. You need to look into using authorization schemes
  http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35125/sec_authorization.htm#BABEDFGB
  This can simply be queries on your own group tables, which presumably would control membership by username.
  You ask the question about using built-in tables, yet don't want to the built-in administrator groups?
  Plenty of significant changes, but none that should affect you in regard to authentication/authorisation.
  Scott

• ADF Authorization for ADF Mobile:Configuring Access Control URL for ADF App

  Can someone explain, how to expose weblogic user roles as a Rest Json Api? Basically I want to set up Access Control URL to authorize users on adf mobile.

  Hi Frank,
  This is what I did. Could you please let me know if I am doing it right.
  1. Created an adf application with a simple page and applied security basic http authentication.
  2. Added a rest service implementation in the same application, changed the adf application web.xml as below
  <servlet-mapping> 
     <servlet-name>jersey</servlet-name> 
     <url-pattern>/jersey/*</url-pattern> 
    </servlet-mapping>
  3. When I test the rest service in browser, it asks to log in and returns the user roles. Below is my rest implementation
  @POST
  @Produces(MediaType.APPLICATION_JSON)
  public User getMessag3() throws Exception {
  return new User();}
  the rest service returns the logged in user roles in below json format.
  {"userid":"susant","roles":["SSBAccessGroup","authenticated-role","SSBAccessApp","anonymous-role"],"priviledges":[]}
  Do I need to implement anything on the ADF mobile side or I can just add the rest service url to the authorization tab. Will adf mobile automatically handle sending the http request.
  Actually I just added the rest service url to adfm-applications connections authorization tab and I am getting ACS failed error after log in.
  Thanks

• Create Access Policy with OIM API: can't fill child form

  Hi!
  I'm having a problem with creating OIM Access Policy with API. I'm doing the following:
  1. Create a new access policy via AccessPolicyIntf
  2. Add a resource object which will be provisioned to all users who are within policy scope
  3. Get Resource Object (Parent) Form Definition via FormDefinitionIntf
  4. Add data to parent form (AccessPolicyIntf setFormData(FormDefinitionKey))
  5. Now I want to add data to the child form, for that purpose I need to know child form definition key, but I can' get one, because there's no method like 'getChildFormDefinitionKey' in FormDefinitionIntf interface.
  Please, help me to get child form definition key, knowing parent form definition key and version

  See if this code helps:
  public String addChildTableValue(long userKey, String group, String objectName, String fieldName tcDataProvider ioDatabase) {
  log.debug("addChildTableValue() Parameter Variables passed are:" +
  "userKey=[" + userKey + "]" +
  "group=[" + group + "]" +
  "fieldName=[" + fieldName + "]" +
  "objectName=[" + objectName + "]");
  try{
  tcUserOperationsIntf userIntf = (tcUserOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcUserOperationsIntf");
  tcFormInstanceOperationsIntf formIntf = (tcFormInstanceOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcFormInstanceOperationsIntf");
  boolean roleExists = false;
  //Result set of all Object for user
  tcResultSet obResultSet = userIntf.getObjects(userKey);
  if (obResultSet.isEmpty()){
  log.error("User has no provisioned objects");
  return "NO_OBJECTS_EXIST";
  }else{
  for (int ii=0; ii&lt;obResultSet.getRowCount(); ii++){
  obResultSet.goToRow(ii);
  if ((obResultSet.getStringValue("Objects.Name").equals(objectName)) &&
  (!(obResultSet.getStringValue("Objects.Object Status.Status").equals("Revoked")) &&
  !(obResultSet.getStringValue("Objects.Object Status.Status").equals("Provisioning")))){
  log.debug("Resource object found: " + objectName);
  //Process Instance Key of the object
  long plProcessInstanceKey = obResultSet.getLongValue("Process Instance.Key");
  log.debug("Process instance key: " + plProcessInstanceKey);
  //Process Key for the parent for
  long plParentFormDefinitionKey = obResultSet.getLongValue("Process.Process Definition.Process Form Key");
  log.debug("Parent form definition key: " + plParentFormDefinitionKey);
  //Form version of the parent form
  int pnParentFormVersion = formIntf.getProcessFormVersion(plProcessInstanceKey);
  log.debug("Parent form version: " + pnParentFormVersion);
  //Result set of Child Form information
  tcResultSet childFormResultSet = formIntf.getChildFormDefinition(plParentFormDefinitionKey, pnParentFormVersion);
  //Child form definition key
  long plChildFormDefinitionKey = childFormResultSet.getLongValue("Structure Utility.Child Tables.Child Key");
  String plChildTableName = childFormResultSet.getStringValue("Structure Utility.Table Name");
  log.debug("Child form definition key: " + plChildFormDefinitionKey);
  log.debug("Child table name: " + plChildTableName);
  tcResultSet childFormData = formIntf.getProcessFormChildData(plChildFormDefinitionKey, plProcessInstanceKey);
  if (!(childFormData.isEmpty())){
  log.debug("Searching child table current values");
  for (int iii=0; iii&lt;childFormData.getRowCount();iii++){
  childFormData.goToRow(iii);
  String fieldValue = childFormData.getStringValue(fieldName);
  log.debug("Child table entry: " + iii + " | value: " + fieldValue);
  if (fieldValue.equals(group)){
  roleExists = true;
  log.debug("Value already exists in child table");
  return "DUPLICATE_VALUE";
  log.debug("Value not found in child table");
  if (!roleExists){
  Hashtable childFormHash = new Hashtable();
  childFormHash.put(fieldName, group);
  formIntf.addProcessFormChildData(plChildFormDefinitionKey, plProcessInstanceKey, childFormHash);
  log.debug("Value successfully added to table");
  return "VALUE_ADDED";
  log.debug("Provisioned resource " + objectName + " object not found");
  return "OBJECT_NOT_FOUND";
  catch(Exception ex){
  ex.printStackTrace();
  return "ERROR";

• Access control with JSP

  We have been working with a design company to design our website HTML. However, a portion of these HTML files need to be password protected, all of these files are stored in one particular folder called "/tools". The problem here is that these files should only be accessible if the user has logged into the site, and the design firm has given all of these files an .html extension, which means that they will not be able to run embedded JSP code.
  From what I understand, if I want to create access control in these .html files I will need to rename them all to .jsp and then update all the links to these files to use the .jsp extension. But the design firm is telling me that their other clients never needed to do this and were able to use JSP to control access to the folder itself. They said that it is possible using JSP to prevent access to a particular folder on the webserver, and that anybody without a valid login or session who tries to access the files in the folder can be redirected to the login page. All of this can be achieved without having to insert JSP code into the password-protected HTML files and renaming them with a .jsp extension. Is this true? We want to avoid doing this because there are a lot of HTML files and links that will need to be changed if we rename the files to .jsp.
  I'm still a relative beginner with JSP and have never heard of any functionality which allows JSP to stop a browser from accessing a particular folder on the server. Am I missing something here? Is there really a better way of doing this without using JSP code?
  I have thought about putting the folder in an offline location and then using a controller JSP/servlet to check the user's login status and then read & display the HTML file from the offline folder. But I am not sure if this is really an efficient way of doing this.
  Any suggestions?
  Thanks,
  Phil

  You can set up a servlet filter in the web.xml. That lets you intercept every single request to certain areas of the app, and modify/redirect it if necessary.
  Example: This sets up a filter that runs on all requests to the "/tools" directory:
  In web.xml:
     <filter>
       <filter-name>testFilter</filter-name>
       <filter-class>com.TestFilter</filter-class>
     </filter>
     <filter-mapping>
       <filter-name>testFilter</filter-name>
       <url-pattern>/tools/*</url-pattern>
     </filter-mapping>And an example java class of a filter. This one just logs the request URI.
  package com;
  import java.io.IOException;
  import javax.servlet.Filter;
  import javax.servlet.FilterChain;
  import javax.servlet.FilterConfig;
  import javax.servlet.ServletException;
  import javax.servlet.ServletRequest;
  import javax.servlet.ServletResponse;
  import javax.servlet.http.HttpServletRequest;
  public class TestFilter implements Filter{
       public void init(FilterConfig arg0) throws ServletException {}
       public void destroy() {}
       public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
            if (request instanceof HttpServletRequest){
                 HttpServletRequest req = (HttpServletRequest)request;
                 System.out.println("Servicing request for " + req.getRequestURI());
                 chain.doFilter(request, response);
  }

• Cross-enterprise integration of SAP GRC Access Control with PeopleSoft

  Friends,
  Does anybody has/have/had the owner to implement Cross-enterprise integration of SAP GRC Access Controls 5.2 with PeopleSoft ?
  If yes, what are the key points and approach one should keep in mind while going for this kind of cross-enterprise implementation.
  Is there any reference material, blog, wiki or such informative resource regarding cross enterprise GRC implementation available on the web?
  I tried to search, but could not get good results.
  Any help would be highly appreciated.
  Best Regards,
  Amol Bharti

  Amol-
  From my experience:
  CC 5.2 with Peoplesoft: as long as you have the RTA's installed in the Peoplesoft system and create the connectors in CC, you are good to go.
  AE 5.2 with Peoplesoft: cannot provision to Peoplesoft, however you can connect with Peoplesoft HR for Password Self-Service.  You have the capability to provision to SAP HR.
  FF 5.2 with Peoplesoft: N/A
  RE 5.2 with Peoplesoft: N/A
  I am not sure if there are any standalone docs out there for AC integration with Peoplesoft.  And the 5.2 manuals have sparse information on integration.  However, the AC 5.3 manuals have more detailed info on the integration piece with various other non-SAP systems.
  Sorry, I couldn't share more info, as that is all I know for now...
  Ankur
  GRC Consultant

• War file and access control with WebLogic

  I am trying to put some access control on different files in my war-file, but just can't get it to work... It seems like all roles defined in weblogic.properties gives the user access to all files in the war. I just don't understand the connections between the security realm, the weblogicURL.policy file and the web.xml file... If I do not specify a weblogic.security.URLAclFile, no access control is done at all.
  This is how my weblogic.properties file looks like:
  weblogic.security.URLAclFile=e:\\weblogic\\weblogicURL.policy
  weblogic.password.koko=kokokoko
  weblogic.password.arnebelinda=arne1234
  weblogic.security.group.ppuseradmins=arnebelinda
  and my weblogicURL.policy:
  deny Principal weblogic.security.acl.GroupImpl "everyone" {
  Permission weblogic.security.acl.URLAcl "weblogic.url", "/admin/-";
  and finally, my web.xml-file:
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
  "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
  <web-app>
       <session-config>
            <session-timeout>30</session-timeout>
       </session-config>
       <welcome-file-list>
            <welcome-file>index.jsp</welcome-file>
       </welcome-file-list>
       <security-constraint>
            <web-resource-collection>
                 <web-resource-name>admin</web-resource-name>
                 <url-pattern>index.jsp</url-pattern>          </web-resource-collection>
            <auth-constraint>
                 <role-name>ppuseradmins</role-name>
            </auth-constraint>
       </security-constraint>
       <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>WebLogic Server</realm-name>
       </login-config>
       <security-role>
            <role-name>ppuseradmins</role-name>
       </security-role>
  </web-app>
  it does not matter which user is part of the ppuseradmins group. The user koko is not a member, but is given access to my whole .war anyway (after submitting correct username/password). Omitting the <realm-name> does not seem to work either; the default realm is not used, instead null is used.
  Does anybody have a clue? I would really appreciate it!
  I am using WebLogic 5.1 sp 9
  best regards,
  PJ

  In you pocily file entry, you have specified "/admin/-"
  However, in the <security-constraint> element in web.xml, your <url-pattern> is not set to /admin
  Could that be the problem ?