CSA - External Access Policy

Greetings!
Guys, I need some help. One of our customers bought the CSA solution in order to protect and narrow Internet access when an employee is out of the office.
Here is the scenario: If an employee takes one of the company's laptop to his house/hotel/etc and try to access any Internet based service(HTTP, HTTPS, P2P, FTP, Torrent, etc) it is MANDATORY that this person establish a VPN connection, this way all content will be processed by the company's Proxy and Firewall, there isn't split tunnel policy; otherwise all TCP/UDP stream should be BLOCKED.
I'm using the Roaming - Force VPN(action: Query the User, when: MC unreachable & Ethernet Active and NOT when: MC is reachable) and the Cisco VPN Client Rule Modules; there is no Temporary Allow Web Browser rule enabled. But I need some help with the parameters, what happens is that if the user answer yes(allow) to the Query message and does not have a VPN Connection he still manages to access the internet and that's not acceptable.
I need to BLOCK ALL UDP/TCP stream at first, ask the user if the VPN is established, check the status of the VPN connection and then, if is tunnel is UP allow access else block everything until the VPN is established.
Can you guys help me?
Thanks in advance!
Att, Daniel Yamashita
PS: I'm using CSA MC v.5.2.0.263 hot fix(fcs-csamc-hotfix-5.2.0.263-w2k3-k9.zip)

Greetings "followurself",
Sorry taking this long to answer but yes, I've managed to deploy the CSA as our customer wanted.
I've decided to create my own Rule and Policy Modules. I'm not sure if this is what you need but here is a simple sketch:
CSA-External Access Policies
[Rule Modules >> Windows Rule Modules]
-Name: External_Access
-Operating System: All Windows
-State Conditions: Apply this rule module only if the following state conditions are met
\> When: Ethernet Active and Management Center Not Reachable
\-> Not when: Management Center Reachable
[Rules]
(1)Terminate All
*Type: Network Access Control
*Action: Priority Terminate Process (take precedence)
*When ...: Active FTP Client Applications, Active HTTP Client Applications, Active TCP Client Applications, Active UDP Client Applications, Active UDP Server Applications, Active TCP Server Applications, Instant Messenger Applications
*But not in ...: Cisco VPN Client, Web Browser Applications
*Attempt to act as a client or server for network services: $Ephemeral Port Ranges, $TCP, $TCP Ephemeral server ports, $UDP, $UDP Ephemeral server ports
*Communicating with host addresses: $All_But_Private_Local >> Matching: but not: 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-255.255, @(local)
*Using these local interfaces:
(2)Priority_Deny-Everything but http,https to local and VPN Peer
*Type: Network Access Control
*Action: Priority Deny (take precedence)
*When ...: Active TCP Client Applications, Active UDP Client Applications
*But not in ...: Cisco VPN Client
*Attempt to act as a client for network services: $FTP Control Channel, $HTTP, $Instant Messenger Protocols, $UDP Ephemeral server ports, $TCP Ephemeral server ports, $FTP Client Data Channel, $Email, $DNS, $ALT-HTTP
*Communicating with host addresses: $All_But_Private_Local
*Using these local interfaces:
(3)Allow Web Browser only to Private Range
*Type: Network Access Control
*Action: Priority Allow (take precedence)
*When ...: Web Browser Timed (custom class, $Web Browser Clients with Remove process from application class after 30 seconds)
*But not in the following class:
*Attempt to act as a client for network services: $DNS, $HTTP, $ALT-HTTP
*Communicating with host addresses: $Only Private Local and VPN Peer IP Addresses >> Matching: 10.0.0.0 10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-255.255, @(local)
*Using these local interfaces:
(4)Warning Message: VPN in NOW
*Type: Network Access Control
*Action: Query User(take precedence) | Query Settings: Establish VPN Connection(Allowed actions = Default Action = Logged = Allow)
*When ...:
*But not in the following class: Cisco VPN Client, MS Logon Setup Applications, MS winlogon
*Attempt to act as a client or server for network services: $TCP Ephemeral server ports, $TCP, $UDP, $UDP Ephemeral server ports
*Communicating with host addresses: $All but 127.0.0.1 >> Matching: but not: 127.0.0.1 && @(local)
*Using these local interfaces:
The Kit generated contains the following groups: + Desktop_All_Typed_Edited (Base Permission + Agent UI Control Disabled +Virus Scanner Module) + External Access.
As you can see the trigger for these rules is the Ethernet Active and if the MC Server is reachable or not. The only way the Pop-Up message could appear is when the MC is unreachable.
I might've mapped a little too much but I it worked great! Let me know if this is what you need. Remember that you should worry more about what to deny than to allow ok?
If there is anything else, don't hesitate to ask.
Regards, Dan

Similar Messages

  • ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

    Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
    ACS version: 5.3.0.40.6 (internal build B.839)
    I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
    Requested Identity Group exist
    Testing user is created in Internal Users and has assigned requested Identity Group
    Radius Access Policy: 
    Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
    Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
    When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
    I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
    What I am tested:
    Remove testing user and create his account again.
    Rename Identity Group
    Use another Identity Group
    Remove Access Policy rule and create it again
    Use Compound Condition: System:Identity Group
    Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
    Do you have any idea where problem can be?

    OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

  • Configure security realm for external Access Manager in App server 8.1

    Hi All,
    I would like to protect my j2ee application using access manager running on an external host.
    I would like to configure the security realm in Sun app Server 8.1 for the external Access Manager
    external host & port of AM is:
    http://svrd234d.dnn.com.au:58765
    Please verify if these are the correct settings for the agentRealm configuration on Sun App server 8.1.
    classname="com.sun.amagent.as.realm.AgentRealm"
    property name="jaas-context" value="agentRealm"
    property name="base-dn" value="ou=People,dc=dnn,dc=com,dc=au"
    property name="hostURL " value="http://svrd234d.dnn.com.au:58765"

    Did you download AS8.1 agent under http://www.sun.com/download/products.xml?id=4266924d?
    If you can unjar am_as81_agent_2_1.jar after installing the J2EE agent, you will find AgentRealm.class under com.sun.amagent.as.realm.
    Please also note that page 161 of J2EE agent guide shows how to disable AgentRealm to better fit your agent policy mode. Check it out http://docs-pdf.sun.com/816-6884-10/816-6884-10.pdf
    Jerry

  • CSA MC Unreachable policy

    Hi All ..
    I have a requirement whereby my customer wants to lock down their laptops so that they can only access internal addresses. This is easy enough, however when a user takes the laptop out of the office, the customer needs to allow the laptop sufficient access to enable them to connect to a wireless or wired POP, and then launch the VPN client to allow them to access the internal services.
    So my idea was to create a state based rule where, if the client can't see the MC, then they get temporary access to external IP addresses to allow them to connect to a POP, and also launch the VPN client. After a set time, all external access is removed to stop the user from accessing the internet.
    I have read through this document - (http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/secwlandg20/csa_mobile_secure.html#wp963193)
    Which provides an overview of the connectivity i need including detail of a 300second timer which is invoked when the MC becomes unreachable, but it is unclear where to set this timer - any ideas ??
    Does anyone have a suggested policy that will achieve what i have described above
    Thanks in advance
    Phil

    Hi All ..
    I have a requirement whereby my customer wants to lock down their laptops so that they can only access internal addresses. This is easy enough, however when a user takes the laptop out of the office, the customer needs to allow the laptop sufficient access to enable them to connect to a wireless or wired POP, and then launch the VPN client to allow them to access the internal services.
    So my idea was to create a state based rule where, if the client can't see the MC, then they get temporary access to external IP addresses to allow them to connect to a POP, and also launch the VPN client. After a set time, all external access is removed to stop the user from accessing the internet.
    I have read through this document - (http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/secwlandg20/csa_mobile_secure.html#wp963193)
    Which provides an overview of the connectivity i need including detail of a 300second timer which is invoked when the MC becomes unreachable, but it is unclear where to set this timer - any ideas ??
    Does anyone have a suggested policy that will achieve what i have described above
    Thanks in advance
    Phil

  • [OIM 9.1.0.2] Access Policy being evaluated to an OIM user disabled.

    Hi Gurus,
    I have an Access Policy being evaluated and provisioning resource (AD) to an OIM user disabled.
    Any tip on what I should take a look?
    Thanks in advance.

    Hi all,
    I have configured out the XL.EvaluateMembershipForInactiveUser System Property as TRUE, but the membership rule does not get evaluated for disabled users. So the user still remain into the group. I have restarted the OIM.
    I need to active the Evaluate User Policies schedule task for this configuration be effective. Or should I do something more?
    Thanks a lot.

  • How to track a request id through an access policy in OIM

    lets say User-A requests a job role on behalf of User-B and this job role has a access policy attached to it, to provision the user to AD and SAP.
    Now we want an email sent to user-A (i.e the user-A who is responsible for job role assignment which made the access policy to trigger the provisioning of User-B to the SAP ) once User-B is provisioned to an Resource for the first time.

    You can find the personA usr_key from upp and upd table.
    In upp table it is Coulmn name UPP_UPDATEBY
    In upd table Coulmn name is UPD_CREATEBY
    and for the status check the coulmns (UPD_ALLOW_LIST,UPP_ALLOW_LIST)
    Thanks..
    Edited by: IDMuser19 on Sep 2, 2010 3:27 PM

  • Not able to get the AD organizations list while creating access policy

    Hi All,
    Had created IT Resource for AD server, and was able to successfully connect to it. And Now when I try to create a access policy, where I am not able to view any organization from AD.
    Can someone please let me know how to resolve this.
    Thanks in advance.....
    Regards
    Arun

    Please check the error log which I am getting when I ran the schedule job
    ======= Start Stack Trace =======================>
    <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <com.thortech.xl.schedule.tasks.ADLookupReconTask : performReconciliation>
    <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <[LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ]>
    <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <Description : [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecu
    rityContext error, data 52e, vece ]>
    <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <com.thortech.xl.exception.ConnectionException: [LDAP: error code 49 - 80090308: LdapErr: D
    SID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ]
    at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.searchResultPageEnum(Unknown Source)
    at com.thortech.xl.schedule.tasks.ADLookupReconTask.performReconciliation(Unknown Source)
    at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Source)
    at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerBaseTask.java:384)
    at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:145)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:196)
    at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
    >
    <Aug 3, 2012 2:30:55 PM GMT+05:30> <Error> <OIMCP.ADCS> <BEA-000000> <================= End Stack Trace =======================>
    Based on which I had checked the credentials I provided, and they are correct. I am able to connect to AD with same credentials when I create new IT Resource.
    Not sure what went wrong
    Regards
    Arun

  • Allow the external access to the query massage for WEBI in BO 4.0 ,

    Hi ,
    I created the BEX query and in query properties I checked " Allow External access to this query" and saved the query
    but this check box  option  " Allow External access to this query"  is not saving .
    is there any note need to be implimented for this problem.
    I created the the connection using the information design tool.
    I'm trying to create the Webi using BICS connection form BEX query through Web intellengence rich client
    it is giving the message like "it is not possible to use this Bex query as source for Web intellengence reports. Ask your administrator to edit this query so that it can be used by
    web intellengence and enable the query propery" Allow External access to this query.
    we are using BI - 7.35 support pack  4  and BO - 4.0 SP2
    Did any one has faced this issue, Could you please send your comments
    Regards
    JV
    Edited by: Jennie Juvvanapudi on Oct 13, 2011 3:43 AM

    Upgrade your SAP GUI to 720 and there will be a updated patch at service market place for GUI 720 which will resolve this issue.
    When we faced same issue we had upgraded and our system currently shows
    SAP GUI Release: 720 Final Release
    File Version: 7200.3.7.1066
    Build:            1257409
    Patch Level: 7
    Thanks,
    Suresh

  • Android MS RDP - RPC Error: Your connection was denied because of a Resource Access Policy (TS_RAP). Please contact your server administrator. (2147965402).

    I love iTap Mobile.  Paid for the app.  Sorry to see them discontinue it, but now I know why.  Microsoft bought them out!  But even though free, I am getting an error: RPC Error: Your connection was denied because of a Resource Access
    Policy (TS_RAP). Please contact your server administrator. (2147965402).  I worked with iTap to fix this so I guess they sold Microsoft their older buggy code...  Microsoft, please fix!
    PS: This is the Android version.  Mac and iOS are both okay.
    EDIT:  After an update a few months ago, iOS is no longer working.  Not sure if the problem is related to the Android MSRDP issue.
    UPDATE - Relevant posts (need Android RDP software engineer to fix):
    Event Viewer Log when using Android client:
    The user
    "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
    is most likely for logging into RD Web - icons shows up).
    The
    user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
    The following error occurred: "23002".  (This is after clicking on any
    of the icons).
    I
    think the Android MS RDP client is providing the incorrect resource.  It shouldn't be "localhost".
     It should be the RD Connection Broker's hostname, I believe.
    Here's what it should look like (connected using a Windows PC going
    through the RD Web portal via Internet Explorer):
    The user "DOMAIN\testuser", on client computer "10.x.x.x", met connection
    authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
    The user "DOMAIN\testuser", on client computer "10.x.x.x", met resource
    authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
    The user "DOMAIN\testuser", on client computer "10.x.x.x", connected
    to resource "rdsfarm.domain.com".
    Stephan,
    Do you have any way to contact the software engineer who worked on the Android version of the RDP client?  Please
    have them read this thread.  They need to fix the hard coded "localhost" resource to be a variable (namely whatever the user put in for the server).
    This is why the MS RDP app is failing in situations where the FQDN for the RD Gateway and Connection Broker uses
    the same host name.
    Again, this is not a configuration problem on our end as it works as intended with the native Windows RDP client
    as well as the Mac and iOS version of the mobile RDP client (all based on iTap Mobile's RDP app).
    This is a problem specific to the Android RDP app.
    PS: No matter how hard I try, the WYSIWYG editor is not very WYSIWYG at all, and so everything here looks messed up even though it looked right when I posted it (it is deleting new blank lines I'm inserting to make it spaced out and easier to read). See
    below to read the post in context.

    Thanks for the bumps, everyone.  I haven't check this thread in a while because I basically gave up on Microsoft's ability to respond.  Unlike paid apps, there's no number to call or ticket to open when an app like this malfunctions.
    Just to give you an update, iOS users started having issues connecting a few months ago.  I don't remember what version started this.  I'm not sure if it's the same problem.
    Also, the newest version now gives a slightly different error message:  RpcOverHttpEndpointException: 2, Your connection was denied because of a Resource Access Policy (TS_RAP).  Please contact your server administrator.
    For Android users, I am starting to recommend Xtralogic Remote Desktop Client.  It's a paid app, but it works great.  I don't know of any alternative for iOS.
    MSRDP for Mac OSX (was also an iTap application) continues to work throughout the many updates.
    We need a software engineer from MS to read my first post.  All the information that will point to a fix is there.  I strongly believe someone hardcoded the string "localhost" instead of using a variable to point to the FQDN of the rdsfarm
    name.
    Here's that info again (copied/pasted).  It doesn't take an engineer to understand the issue.  If you know how to decipher Event Logs, you can see where the problem is.
    Event
    Viewer Log when using Android client:
    The
    user "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
    is most likely for logging into RD Web - icons shows up).
    The
    user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
    The following error occurred: "23002".  (This
    is after clicking on any of the icons).
    I
    think the Android MS RDP client is providing the incorrect resource.  It shouldn't be "localhost".
     It should be the RD Connection Broker's hostname, I believe.
    Here's
    what it should look like (connected using a Windows PC going through the RD Web portal via Internet Explorer):
    The user "DOMAIN\testuser", on client computer "10.x.x.x",
    met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
    The user "DOMAIN\testuser", on client computer "10.x.x.x",
    met resource authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
    The user "DOMAIN\testuser", on client computer "10.x.x.x",
    connected to resource "rdsfarm.domain.com".

  • RemoteApps Error "Your connection was denied because of a Network Access Policy (TS_NAP). Please contact your server administrator."

    Hello All,
    Good day. May I ask if anyone experienced this error when trying to access remoteapps in Azure? We are using IaaS and set-up RDS using Windows 2012 R2 but we are getting an error below.
    "Your connection was denied because of a Network Access Policy (TS_NAP). Please contact your server administrator.
    Various roles and services (Broker, Session Host, RD Gateway and Web Access are installed on each VMs).
    Please advise.
    Thanks,
    Glenn

    Hi Glen;
    Looks like the set up was not done correctly. Please follow the guidelines given on this
    blog by Keith Mayer.
    Regards;
    Prasant

  • E1200 V2 with no "internet access policy" in built-in web-based setup

    I just bought a factory refurbished E1200.  The label on the bottom says it is a Version 2 model.  When I purchased it, it was loaded with 2.0.02 firmware but I upgraded the firmware to 2.0.04
    My problem is that I'm trying to setup MAC address-based restrictions thru the manual/web-based setup and when I click on the "Access Restrictions" tab, I only have simple "Parental Controls" and not the advanced "Internet Access Policy".
    Is it possible that I have a mislabeled V1 device?  If that is the case, how is it that I was able to upgrade the firmware using firmware from the V2 downloads section.
    Do V! and V2 units use the same firmware but  more importantly, how do I upgrade the built-in software so that I have the advanced "Internet Access Policy" controls?
    Thanks!
    Eric
    Solved!
    Go to Solution.

    Very strange indeed then!  My subtab only has "Parental Controls" listed.  
    I've compared it to the one shown here  ( http://ui.linksys.com/files/E1200/2.0.00/inter_access.htm ) - and mine does not look like this at all!
    I think i have a mislabeled V1 model or at least V1 software loaded,
    Does anyone know if it is possible to download and reload the software that is built in to the router or do I need to return it and get a (hopefully) new one?
    Thanks!
    Eric

  • Registering External Fault Policy(s) with a Composite in SOA 11g

    Hi
    I was wondering whether it is possible to register more than one external fault policy with a composite. I have loaded some fault policies into my database backed MDS store. I have added a fault-bindings.xml file locally to teh composite to indicate which components I want to use which policy. this file resembles:
    <composite faultPolicy="bpelSynchronousProcessingFaults"/>
    <component faultPolicy="mediatorSynchronousProcessingFaults">
    <name>MediatorRouting</name>
    </component>
    I have also added to the composite.xml file the respective imports / properties to identify the location of the fault policy files and the fault bindings. These resemble:
    </service>
    <property name="oracle.composite.faultPolicyFile">oramds:/apps/fault-policies/fault-policies-med-sync.xml</property>
    <property name="oracle.composite.faultPolicyFile">oramds:/apps/fault-policies/fault-policies-bpel-sync.xml</property>
    <property name="oracle.composite.faultBindingFile">fault-bindings.xml</property>
    <component name="MediatorRouting">
    For a test I have the BPEL component using one and the mediator component using another, both within the same composite. Depending on the order of the 2 properties shown above, only one is registered. This being the second one.
    Is it possible to register more than one policy in this way? I have been unable to get both working at the same time. Each works independently if I only register one of them. I want keep the fault policies external to the composites to allow them to be re-used appropriately across composites within an SOA project
    My thinking is, in order to be able to have differing policies effecting different components within a composite i'd have thought it would have been possible to define more than one external policy for a composite. However it appears this is not the case as it only registers or atleast works with the last policy in an import. Also placing the files locally within the composite with differing names has no impact.
    Therefore i'm assuming (unless I have configured these incoorectly) there is no option to have multiple fault policies for a composite. Therefore there is no ability to define a different policy per component within a composite
    Kind Regards
    Dave

    Using the fault binding attach your fault policy to particular component. See example below.Use the tag  <component faultPolicy="ServiceFaults">
    <?xml version="1.0" encoding="UTF-8"?>
    <faultPolicyBindings version="2.0.1"
    xmlns="http://schemas.oracle.com/bpel/faultpolicy"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <component faultPolicy="ServiceFaults">
      <name>Component1</name>
      <name>Component2</name>
      </component>
      <!-- Below listed component names use polic CRM_SeriveFaults -->
      <component faultPolicy="CRM_ServiceFaults">
      <name>HelloWorld</name>
      <name>ShippingComponent</name>
      <name>AnotherComponent"</name>
      </component>
      <!-- Below listed reference names and port types use polic CRM_ServiceFaults
    -->
      <reference faultPolicy="CRM_ServiceFaults">
      <name>creditRatingService</name>
      <name>anotherReference</name>
      <portType
    xmlns:credit="http://services.otn.com">credit:CreditRatingService</portType>
      <portType
    xmlns:db="http://xmlns.oracle.com/pcbpel/adapter/db/insert/">db:insert_
    plt</portType>
      </reference>
      <reference faultPolicy="test1">
      <name>CreditRating3</name>
      </reference>
    </faultPolicyBindings>

  • [OIM 9.1.0.2] RESOURCE NOT REVOKED BY ACCESS POLICY WHEN USER DISABLED

    Hi Experts,
    OIM Build Number: 1866.62 ( BP15 )
    IHAC that faced an unexpected behavior on User disabling.
    Some users were associated to groups that had access policies applied.
    When those users were disabled, they didnt lose their associated groups and also the resource and permission associated thru access policy applied to those groups.
    I saw that there was a bug reported to that issue. So I performed the action plan and set up the XL.EvaluateMembershipForInactiveUser System Property as TRUE. Now after disabling the users are properly removed from groups.
    Customer problem: For those users, almost 1000, I did a recon just to estimule the identity, so the membership rule was applied and the groups were removed, but OIM didn't evaluate the access policies and didn't revoke the resources.
    I ran the Evaluate User Policies task, and it seems to be stuck. Should the Evaluate User Policies schedule task work for that scenario? Should the resource after running that task be revoked?
    Any help would be very appreciated.

    Hi Nishith,
    I ran the task, but it seems really stuck. It displays the RUNNING status, but any effect is observed. I have to change task status to INACTIVE in the Design Console.
    This task has 2 attributes: Batch Size= 500 and Number of Threads=20.
    But I have noticed this task in another environment (w/ BP 18 applied), it has 3 attributes: Batch Size= 500 ; Number of Threads=20 and Time Limit in mins=1.
    Is it any enhancement for this task in order to improve its performance, or something like that?
    What else I can check?
    Thanks in advance.

  • OIM 11g R2 - AD provisioning based on Role and Access Policy

    Hi, for Active Direcotry integration i used some prepopulation plugin for populationg resource form (based on http://fusionsecurity.blogspot.sk/2013/01/populating-request-attributes-in-oim.html).
    It's work fine - requested account was fully provisioned.
    Can i use this plugins for Role based provisioning?
    I try to create access policy and associated role but when attached the role to the user and run Evaluate User Policies Job, account can't be provisioned.
    In diagnostic.log i found.....
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Immediate consequences are returned with event - InitiatePolicyEvaluationAndProvisioning
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Next Waiting child process is ..........6380 sync = false
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] First Waiting child process is ..........6380
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel executing default validation with process id, event id, entity and operation 6,380.0.Resource.ACCESS_POLICY_BASED_PROVISION
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel completed the child orchestration - 6380.6379
    [oracle.iam.platform.kernel.dao] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Inserting records for orchestration cleanup
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Completed orchestration with action result - 113

    Hi, all
    I try to fill Access policy Process Form. Account request was created and provisioned when field AD Server and Organization Name was filled in, but pre-population plugin doesn't fired
    The question is.... How can i use pre-population plugin for populating request dataset used with request generated by access policy....
    Is it possible to use plugins for requests generated based on access policy?
    a.

  • 8.0.6-119 on S160 can no longer see past the second access policy

    We upgraded an S160 to 8.0.6-119 today and now the appliance is not authenticating groups beyond restricted internet and information technology.  For example Access Policy #6 is called Marketing.  It has access to Streaming Media and Social Media (like youtube, facebook, twitter).  They are the marketing department that needs this access to do their job.  The identity policy is authenticated_users but it keeps falling under the last access policy "Global Access Policy" which results in request blocked based on URL category.
    I just don't get it.  Authenticated Users is selected to windows realm which the wsa joined to the domain and has 3 DC's and a CDA virtual appliance tied to it.  I don't see that being the issue because the policy trace correctly brings back all AD groups the user is tied to.  The scheme is Use Kerberos or NTLMSSP.  
    Next under access policies there are 14 of them before the global policy.  They are all authenticated users and pointed to the proper active directory groups.  Marketing is 6 out of 14 (not counting the non-numbered Global Policy at the bottom).
    So what could the issue be?

    I opened a case with TAC but have not heard back.  However it seems things are working now.  Perhaps they contacted in and corrected an issue but haven't had the chance to tell me what they did.  I have remote access enabled for Cisco TAC.
    Now when I do the policy trace, It actually applies the Marketing access policy, and AVC actually see's this is Facebook General (Facebook) in this case.  Before I think it said none for everything and access policy was global.

Maybe you are looking for

  • Date and Time Stamp

    I am taking pictures with my Pentax K10D (DNG images) that show the progress of an experiment over a period of time. I have not found a way to imprint this information on the image with the camera (I know that the information is contained in the imag

  • Need Adobe Flex User Experience Designers & Developers - SF BAY AREA

    The User Experience Designer will provide the necessary services requested by Business Partners for critical initiatives such as the National Agreement Implementation, Employee Portal Framework, KP Intranet and Clinical Library.  You will also provid

  • How to estimate TDMS to be transferred data ?

    I wonder whether there is a way to estimate shell size before starting shell creation for ECC and BI. Is it a fixed size for ECC and BI respectively , or it's decided by the master data ? Thanks!

  • Stop alt from shifting focus to the menu?

    Hi, Every time I press Alt the focus shifts to the menu bar, just as it does with other windows programs. This means I have to escape the menu every time I zoom, which is time consuming and extremely irritating. Does anyone know how to stop this beha

  • Blending in an image

    can somebody please tell me how to blend two images together. For example if i put a person from one photo into another photo and they are standing in grass, how do i make it look like they are standing in the grass, not on it. thanks for any help.