Creating LDAP filter in authorization rule OAM 10G

Similar Messages

• How to create LDAP filter-based rule to check Group membership in OAM

  Hi folks,
  I'm having hard time creating an authorization rule to verify ldap group membership. I've followed "Configure User Authorization" article from Oracle website (http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2authz.htm#BABHBFEJI) and created an Authorization scheme w ldap_attribute_name as User Parameter and ruleExpression as Required Parameter. Then, inside my policy I created an Authorization Rule based on my Authz scheme w Allow Access attrib filter-based Rule which looks like this:
  ldap://ldap_server:port/ou=People,o=Company,c=US??sub?(ldap_attribute_name=ldap_attribute_value)
  This works fine.
  Now, I've added another filter-based rule under the same Authz Rule/Allow Access:
  ldap://ldap_server:port/ou=Groups,o=Company,c=US?uniqueMember?sub?(&(objectClass=groupOfUniqueNames)(cn=ldap_group_name))
  While query looks somewhat correct and works as a command-line argument (slightly modified format), it does not work in OAM (meaning people w out req-d group membership can still login).
  Can someone steer me to the right direction as to what do I need to do:
  1. Change/fix the ldap query
  2. Create new Authz scheme with uniqueMember userParameter; create new Authz rule based on new authz scheme; create new Allow Access filter rule with the ldap query I have
  3. Do smth else
  Any help is greatly appreciated.
  Thank you, Roman

  You can create two authorization rules
  First for user with attribute
  and second for group
  and then in authorization expression you can have AND of these two.
  Regarding your query...
  First ... If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
  All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access
  Second.. If your requirement is such that you want to give access to a member of a group which has certain attribute lets say group with status active ( In this case you are not aware of the name of the group because user can be a member of any group but you want to give access only to the group with specific attribute.) then you have to write custom authorization plugin.
  If the option is second let me know i can give you a solution which will work for a single domain without any effort of developing a major plugin.
  Hope this helps,
  Sagar

• ACS 5.3 cannot create default network access authorization rule

  Hi, when I click 'Create...' under Access Policies > Default Network Access > Authorization, and then press the 'OK' button, it says 'Please configure at least 1 condition.' However I have no way to configure conditions as the 'Conditions' text is just bold text and not a link or any sort of configurable area. If I go to 'Customize' on the bottom right and add conditions to the right list box, I still have no options when I press Create. Also, the 'green light' next to Default Network Access is grey with a line through it. This is the most cryptic system I have ever used.. anyone have an idea? Thank you!

  Looks like you are using chrome amd it's not a supported browser.
  Supported Web Client/Browsers
  You can access ACS 5.3 administrative user interface using the following Web Client/Browsers:
  •Windows 7 32 bit
  •Windows XP Professional (Service Pack 2 and 3)
  •Windows Vista
  •Internet Explorer version 7.x
  •Internet Explorer version 8.x
  •Internet Explorer version 9.x
  •Mozilla Firefox version 3.x
  •Mozilla Firefox version 4.x
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp222016
  Jatin Katyal
  - Do rate helpful posts -

• Monitoring Tool for OAM 10g

  Hi all,
  I am trying to find all possible ways to monitor a OAM 10g server.. From the documentations I read about SNMP Monitoring.. So I installed the SNMP Agent in the machine where OAM is installed.. And I came to know how to enable SNMP Monitoring in OAM 10g..
  I am drafting my understandings.. please correct me if I am worng;
  - The SNMP Agent that is installed in the OAM machine will gather the monitoring information
  - The Agent will send the information via SNMP to a master application
  If my understanding is correct, these are my questions for which I need your answers; :)
  1. Do I need to install any third party tools like Tivoli or Sun SunNet Manager to which the SNMP Agent will send the information??
  2. My task is to create a custom monitoring application for OAM 10g. Can u please suggest me a best way to do this..
  3. Is there any other way to monitor the Identity and Access Server..
  Thank you :)
  A * R

  The Identity Management Pack for Enterprise Manager provide central Monitoring of most of the IAM component (included OAM) and should provide soon monitoring of all IAM component in version 11g. So if you are looking at a complete solution this is a good way to go.
  http://www.oracle.com/products/middleware/identity-management/management-monitoring.html
  http://www.oracle.com/technology/products/oem/pdf/twp_idm_mgmt.pdf
  hth
  Chris
  Edited by: chris W on Dec 10, 2009 1:38 PM

• OAM 10g Authorization ldap query

  Hi all
  Please let me know if we can write a LDAP query in Authorization - Deny access to deny the users who are not a member of Usergroup 'X'.
  If yes, please give me a sample. Please help.
  Thanks

  Hi,
  Does the solution offered by Sagar (from the above link):
  "If your requirement is to give access to all the members of a particular group then you don't require any ldap filters
  All you have to do is in the authorization rule -> Allow access -> Select People (here you have to select group so click on the group tab, its little hard to see but its there in light blue color on dark blue tab) -> select the group you want to give access"
  (which also applies to Denying access to groups) meet your needs?
  Regards,
  Colin
  Edited by: ColinPurdon on Jun 27, 2011 9:20 AM

• Pop up warning when creating policy domain in OAM 10g

  Has anyone seen below pop up warning when creating a policy domain in OAM 10g Policy manager?
  Warning:
  This policy domain controls the access to the URI you are currently accessing
  /access/oblix/apps/policyservcenter/bin/policyservcenter.cgi
  Are you sure you want to commit these changes?

  Hi,
  Does Note 842378.1 look like a match for you? Maybe the obcompounddata attribute is missing for some odd reason.
  Regards,
  Colin

• OAM : Multi-valued attribute in Authorization Rule Actions

  Our application is protected by an Oracle Access Manager deployment, where the identity user base is based in an Oracle Internet Directory.
  In the OID, for every user entry, we have a multi valued attribute (say, 'roleattr') which contains the roles recognized in our application. Once the user is authenticated by the Access Server, we need the roles associated to him to be fetched and returned in the page header (similar to uid).
  Hence, our question is, in PolicyManager, by setting the Authorization Rule > Actions, is it possible to retrieve this attribute (which is 'multivalued') and populated into the pageHeader, so that our application can retrieve the same.

  Sure, you'll get a colon-delimited list of the multiple values in your header!
  -Vinod

• Authorization Rules.

  Hi,
  I am in the process of setting up OAM/OID to provide secure access to a website.
  Part of the website is public and part of the website is secure.
  For the secure part I want to limit access to a particular group of users who belong to i.e. secureGroup which has been created through the GroupManager function of Identity Administration.
  I have created a Policy Domain for the protected part. I have also created an Authorisation Rule for the allowed users to grant them access. My understanding is that I need to create an LDAP rule to provide access to the group in question.
  What is the format of the rule?. the documentation goes a bit light as to the fomat of the rule. I am just not sure how to say - is current user a member of secureGroup.....
  Any help or pointers would be useful.

  You're on the right track, however, the LDAP filter definition will not help you with a group based authorization decision (as a 'group' object never logs into the system).
  Hit the 'select user' button which opens the OAM selector app. Look closely in the top right hand corner of the UI for blue links on the blue background - one for Employees, one for Groups. Select Groups and then search for and select your group object. Save the rule.
  You can make the UI better by defining tab images for the person and group objectclasses - then those links are much more obvious.
  Mark

• OAM 10g - obmygroups and nested dynamic groups

  I've run into an issue with the obmygroups header action in OAM 10g, and I'm not sure whether this is by design or not.
  The obmygroups will return static and dynamic group names for which the user is a member, and it will return static groups that contain nested static groups where the user is a member of the nested group. However, it doesn't seem to static groups with nested dynamic groups where the user is a member of the nested dynamic group.
  Is that by design? Is there any way to nest dynamic groups so that obmygroups will return the parent group name? I'd like to have a group that contains both nested static and nested dynamic groups, and have the obmygroups action return the name of the parent group.
  Thanks,
  Matt

  Return Attribute Action in authentication or authorization rules
  obmygroups:<ldap_url> special attribute returns those groups to which the user belongs that also satisfy the criteria <ldap_url> filter specifies.
  EX: "obmygroups:ldap:///cn=Groups,dc=myorg,dc=com??sub(group_type=role) returns all the groups in cn=Groups,dc=myorg,dc=com tree for which the logged-in user is a member and the group_type is role.
  For more information check OAM Access Administration Guide

• OAM 10g policy evaluation issue

  I have the policy with following authorization expression: Rule A|Rule B.
  Rule A:
  allowed: all users with o=Org A
  denied: any user
  allow takes precedence: true
  Rule B:
  allowed: all users with o=Org B
  denied: any user
  allow takes precedence: true
  I want the policy to grant access to any user in either of organizations. It does not work for users with o=Org B. Instead access tester shows that Rule A was in effect and authorization is inconclusive. The only way I can make it to work is by removing denial conditions completely: i.e. denied=no one is denied. It does not make sense to me - each rule actually works if not combined with another one.
  Does anybody know whether it is a bug?
  Thanks,
  Alex

  Hi Alex,
  The important thing to remember is that for OR conditions, OAM will stop processing the expression as soon as the user is explicitly referenced (for either Allow or Deny) in a rule, as evaluated from left to right. So if you have an expression:
  RuleA OR RuleB OR RuleC
  and the logged in user is not mentioned in ruleA, but is Allowed in RuleB, then OAM will not process RuleC.
  (With AND conditions, OAM needs to know all of the results, so in the case of an expression:
  RuleX AND RuleY AND RuleZ
  if the user satisfies RuleX, then OAM still needs to process RuleY and RuleZ in order to determine if the user meets the requirements of the expression.)
  In the majority of cases, the way OAM works does boil down to the same as Boolean logic. If, for example, the OR expression above tested that a user is in either GroupA, or GroupB, or GroupC and the user is in GroupA, the only effect of the way that OAM works is that it does not unnecessarily work out if the user is in GroupB or GroupC.
  The two areas which I can see as potentially causing confusion are:
  - when you have an Allow Anyone or Deny Anyone in a rule. In this case, clearly every user is explicitly mentioned in a rule, and processing will stop at this rule as far as OR operations are concerned (as in the example you originally gave).
  - when you want different actions to be performed depending on which rule is applied (so if a user is a member of both GroupA and GroupC, you may have different sets of header variables that need to be applied).
  But generally, if these are not factors, I would expect the same behaviour for more complex relations (such as your "(Rule 1 OR Rule 2) AND (Rule 3 OR Rule 4)" expression) to be the same as for Boolean operations. In this case if a user satisfies Rule1, then it will still evaluate AND (Rule3 OR Rule4), but not Rule2.
  If the above factors really do cause OAM to evaluate undesirable results for you, would it be possible to move the complexity to group membership? For example you could define group membership to be the result of a complex ldap filter, and then define a simple rule (and expression) and associated actions which allows access based on this group.
  Regards,
  Colin

• Best Approach to create LDAP structure in OID

  We are currently in the process to create LDAP schema and structure in OID 11g. This schema and structure in OID will be then used by Oracle products such as OIM, OES, OAM and others to perform user authentication, coarse grained authorization, fine grained authorizaiton, attribute mappings, etc.
  I wanted to know if there is any Best Practices approach/guidelines we can use to define this schema and structure now so we don't encounter any obstacles and limitations while using OIM, OAM and OES.
  Will appreciate quick response.
  Thanks!

  I understand that the LDAP structure design depends on the business goals and requirements and we are defnitely building the schema in that lines. But the thing we want to make sure is how flexible are the products like OIM, OAM and OES to provide user authentication(if the user is deep down in the tree), authorization (if the user needs to be authorized to services having attributes deep down in the tree), mapping complex relationships and permissions in conjunction with OID.
  I think the other way of asking this question would be what we should take into consideration while designing the LDAP structure in OID as the backend LDAP store and what things we should leave whille designing LDAP structure in OID that could be considered while designing the authentication, authorization process in OIM, OAM and OES.
  Our goal is to keep the LDAP structure simple and flexible but at the sametime use OAM, OES and OIM at their best capabilities to serve our purpose without lot of customizations required.
  Thanks!

• OAM 10g attribute is not visible in object class in Identity System console

  Hi All,
  This is about OAM 10g environment with OID used as user/config/policy store. There are one custom user object class and custom attributes defined in Identity System console already. Now there is a requirement to add another custom attribute to that already existing custom user object class.
  I have created the attribute in schema through ldap command and I am able to see it in LDAP browser as well. However even after restarting OAM identity server and webpass services, the attribute is not visible in Identity System console -> Common Configuration -> Objectclasses -> Custom object class.
  Appreciate any help. Please treat this as urgent.
  Thanks
  Mahendra.

  The solution is to add the attributes in OVD schema as OVD is the user store.

• OAM 10g Reset Password Issue in Password Policy Management

  Hi,
  We are using OAM 10g and we have configured password policy for our application with selecting "Change on Reset" Check Box.
  We have created new user in create user identity tab and when we are logging with new user for the first time, it is not redirecting to the reset password page.
  Can someone shed light on this issue?
  Thanks,
  Ganesh

  Hi Colin,
  As you said, We have configured obpasswordchangeflag in Create User Workflow by setting the default value true.
  We have created new user in create user tab and checked in LDAP Browser as it is showing obpasswordchangeflag =true in newly created user's profile.
  Now, when we are trying to login with new user, it is still not redirecting to the Reset Password Page.
  please find below the url which we have configured in Password Policy Change Redirect URL:
  /identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=redirectforchangepwd&login=%loginid%%userid%&backURL=%HostTarget%%RESOURCE%&STLogin=%applySTLogin%&target=top&style=style1
  Can you please help me on this issue?
  Thanks,
  Ganesh

• How do I create a filter that bypasses the in page and goes directly to spam rather to delete?

  How do I create a filter that bypasses the in page and goes directly to spam rather than to delete?

  From your question I'm going to guess you are talking about Mac Mail.
  If you are talking about a RULE then the "Perform the following actions:" would be to select "Move Message" to mailbox "Junk" instead of "Delete Message."
  If you are talking about something else then please give more information.

• Help needed to create a filter

  Experts,
  I would like to create a filter to return data corresponding to the last month of the year or the month for which the latest data is available. For example, If the end user selects 2012 from the year prompt (we have a PV associated to it), then it has to show the Aug 2012 (Data till Aug '12 is available in the DB). On the other hand if he/she selects 2011, 2010 or prior, then it has the return Dec month data of the respective year
  Filter needs to be created on the PERIOD.MONTH attribute which has values like this Jan 2010, Feb 2010....... Jul 2012, Aug 2012
  I am using obiee 10g
  Any help is appreciated
  Edited by: sarvan on Sep 22, 2012 7:17 PM

  Thanks for the response, but it did't work as expected. I have provided the other Time dimensional attributes in my DB.
  Period          Year      Month ID
  Oct 2010 2010 10
  Nov 2010 2010 11
  Dec 2010 2010 12
  Jan 2011 2011 01
  Feb 2011 2011 02
  Nov 2011 2011 11
  Dec 2011 2011 12
  Jan 2012 2012 01
  Jul 2012 2012 07
  Aug 2012 2012 08
  I need to write a filter expression that will return the latest/last period (Column 1) for that year. In my example,
  For 2010 -> Dec 2010
  2011 -> Dec 2011
  2012 -> Aug 2012
  I hope with the max(month ID) for that year we can retrieve it, but I am not finding the right direction
  Edited by: sarvan on Sep 22, 2012 7:31 PM