Dynamic access policy ACL not beeing applied to user

Similar Messages

• Dynamic Access Policy ACL Logging

  We use dynamic access policy's with Network ACLs to restrict specifics users access to what they need over the VPN. The ACL's get applied to the users as they should for the most part working as they should. I am in the process of troubleshooting an ACL now that tied to a DAP and I cant find any way of logging the drops (or allows) from the ACL being used for DAP.

  When you go to dynamic access policies in ASDM is your NoVPN ACL at the top of the list (highest ACL priority)?  These get processed in order and if your user is in both groups the first will be taken and the rest ignored.
  Also, is your default policy at that bottom of this list deny access?

• Access Policy is not getting trigggered after creation of user through GTC

  Hi,
  I have an access policy for ALL USER role and that provision users to an RO after getting created in oim. I have a trusted source flat file reconciliation GTC for user creation. I am facing issue when user is getting created through GTC, access policy is not getting triggered. But while creating an user through web console the same access policy is working fine and user is getting provisioned with RO.
  If anybody have any idea how to resolve this, please help me in this regards.
  Regards,
  Avijit

  Hi ,
  its good to know that its working. As per my experience it works for once (through reconciliation) but then stops working. Now to confirm try to revoke the user by changing the group member-ship through reconciliation and see if the resource is revoked or not (repeat it for 2 -3 times). Note that don't do it form within IDM web admin console, do it through reconciliation.
  do post your results.......
  Regards.

• Policy not being applied to users

  I have a group policy that used to work, but now has decided it does not want to be applied to the workstations anymore. I don't know what may have happened to make is stop working.
  It's a pretty restrictive policy for students. I have the exact same policy for two other groups of students that still work. All three policies were copied from the same set of files. In other words, I make a change to one, then copy the files to the other two because they reside on different servers. Yes, I do open each one in C1 to update the timestamp.
  When I run wmsched, the policy is there in the list, but the settings are not applied. I can log in to the PC with one of the other student accounts and their policy is applied.
  The login I'm using to test with has R rights to the policy location - the same rights that the other users have to their policies. I have also tried more rights with no different results.
  The DLU part of the policy runs, and I have turned off the windows firewall. I have also created a brand new policy from scratch to rule out any corruption in the old policy and I get the same results.
  Apparantly, my workstation policy for this group is not being applied either. The other two groups' policies apply like they are supposed to. So this means that neither policy assigned to this group of students/workstations is working.
  Any ideas?
  Thanks

  FishEggStew,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Messages in Buffered queue not beeing applied

  Hi All,
  Im running a streams environment. The receiving server crashed and was restarted. The apply process was restarted and the buffer was flooded with messages. Flow control initiatied on the sending database. The apply process doesn't show errors, but there are 5001 messages in the queue that arn't beeing applied. I' ve tried restarting the apply process and increased the number of parallel apply processes. Purging the queue doesn't seem like a good idea since the I will loose data. What can I do?
  btw The messages in de queue seem to be in defered state. I dont know if this is of any importance...
  Another thing that struck me as odd was the following:
  Coordinator Low Watermark: 11063412548
  Reader Oldest SCN: 11063412382
  I would assume the Oldest SCN would be equal or higher that the Coordinator low watermark because messages are first beeing read, then coordinated then applied right?
  and while I' m at it: it is no longer possible to disable the queue from Grid Control. If I try to, what happens is, that the status becomes disabled (red downward arrow) but the state remains:"DEQUEUEING MESSAGES"
  kind regards,
  Erik
  Edited by: erikros on Apr 28, 2010 2:47 PM
  Edited by: erikros on Apr 28, 2010 3:05 PM
  Edited by: erikros on Apr 28, 2010 3:08 PM

  Query 1
  APPLY_NAME : P_APP1
  Latency in Seconds : 29139
  Message Creation : 2010-04-27 14:48
  Apply Time : 2010-04-27 22:54
  APPLIED_MESSAGE_NUMBER : 11063412548
  Query 2
  CAPTURE_NAME : P_CAP1
  STATE : PAUSED FOR FLOW CONTROL
  CAPTURE_TIME : 2010-04-29 07:41
  CAPTURE_MESSAGE_NUMBER : 11063460122
  CAPTURE_MESSAGE_CREATE_TIME : 2010-04-27 14:55
  ENQUEUE_TIME : 2010-04-29 07:41
  ENQUEUE_MESSAGE_NUMBER : 11063460122
  ENQUEUE_MESSAGE_CREATE_TIME : 2010-04-27 14:55
  AVAILABLE_MESSAGE_NUMBER : 11076534248
  The second query had some fields in it that weren't supported by my version of Oracle 10.2. I replaced them with some others....
  Edited by: erikros on Apr 29, 2010 8:24 AM

• [OIM 9.1.0.2] Access Policy being evaluated to an OIM user disabled.

  Hi Gurus,
  I have an Access Policy being evaluated and provisioning resource (AD) to an OIM user disabled.
  Any tip on what I should take a look?
  Thanks in advance.

  Hi all,
  I have configured out the XL.EvaluateMembershipForInactiveUser System Property as TRUE, but the membership rule does not get evaluated for disabled users. So the user still remain into the group. I have restarted the OIM.
  I need to active the Evaluate User Policies schedule task for this configuration be effective. Or should I do something more?
  Thanks a lot.

• Dynamic Access Policy Customization for Antivirus issues??

  I am trying to configure when an employee logs in it scans to verify first that Antivirus is installed in our case Sophos, and that it is running, and has been updated DAT file wise with in the last 10 days, if not go to our server for the update before allowig them to logon. If Sophos is not detectable then a message would be given to the user that "Sophos AV can not be detected please make sure it is installed and running, if you need help please contact the Help Desk"
  If I set this up VPN stops working, also when Sophos is not running it goes to the default message that the user is not part of the correct AD group even though they are.
  Help.. getting frustrated..
  JJ

  you can run the following 2 debug commands to see what is happening during the DAP processing
  debug dap trace
  debug dap errors

• [SOLVED] xhost access control does not work for specified users

  After last upgrade of xorg to v1.17.1-1 I get message: "unable to open display ":0" " when trying to run any window application as user specified in xhost. My xhost list looks like:
  access control enabled, only authorized clients can connect
  SI:localuser:steam
  SI:localuser:root
  But if I disable access control for everyone by invoking "xhost +" applications run on another accounts without problems. Does anyone has that problem too?
  Last edited by slx (2015-02-22 12:24:17)

  slx wrote:I see that fix is pending http://lists.x.org/archives/xorg-devel/ … 45644.html
  Can you test package here http://pkgbuild.com/~lcarlier/test/ ?

• Trigger Access Policy not Running

  Can someone suggest me why Trigger at Access Policy is not running?
  I try to make new policy, resource and role. But the trigger still not running?
  Thanks.

  are you using OIM BP06? if yes, then access policy won't trigger automatically. You have to run the "Evaluate User Policies" to trigger access policy.

• Managed folder policy will not apply to entire database

  Exch2007 sp3
  I have run several versions of this pshell command trying to set a MRM policy for a specific Exch2007 database, but the policy is not getting applied…..the mailboxes don’t show the policy
  Get-Mailbox -domaincontroller DC.domain.com | Where{$_.Database -eq "mail\sg1\private information store"} | Set-Mailbox -ManagedFolderMailboxPolicy "90day"
  When I run this version, it  returns info about a corrupted mailbox. 
  If this mailbox is what is stopping the cmd from completing, is there a parameter to skip bad mailboxes?
   Thanks!

  Hi,
  What's the error/warning of that corrupted mailbox? Since it’s a corrupted mailbox, I suggest to disable this mailbox then run command to apply managed folder mailbox policy.
  In addition, just set the policy on DB isn’t enough to see the effects in user’s Outlook. To do this we need to schedule the managed folder assistant to run on a mailbox server
  For EMC:
  “Server Configuration”->”Mailbox”->locate related mailbox role and right-click it->choose “Properties”
  In the “Messaging Records Management” tab->set the running schedule
  For EMS:
  Start-ManagedFolderAssistant
  https://technet.microsoft.com/en-us/library/bb691428%28EXCHG.80%29.aspx?f=255&MSPPError=-2147217396
  Document for reference
  Managing Messaging Records Management
  https://technet.microsoft.com/en-us/library/bb123507(EXCHG.80).aspx
  Best Regards.
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Lynn-Li
  TechNet Community Support

• Access Policy and Process Task

  Hi,
  I created "access policies" to provision resources when a user is associated with a role with the name of this resource.
  When I manually assign the role, the access policy works properly and the resource is provisioned.
  When the role is assigned through a process task, the access policy does not work properly and the resource is not created.
  Why this happens?
  How can I make the process task trigger the access policy when assign the role?
  TKS
  Edited by: raraujo on Oct 15, 2012 3:36 AM

  Better assign Role using group membership rule. Also, can you check if role is assigned using process task, is it getting assigned to user properly?
  Which OIM you are using? If it's 11.1.1.5 then apply BP03 patch or BP04 patch.
  regards,
  GP

• LDAP (openldap) authorization with DAP (dymamic access policy)

  Hello,
  We have a asa 5520 and we try to make a ldap (openLdap) authorization with DAP (Dynamic Access Policy). We have problem with logical expression. We need more example of logical expression and we need to know how debug logical expression. We try to use de Debug dap trace and debug dap error but we need more debug informations.

  Hi
  I guess you are using an ldap attribute map, to map the ad group to a group policy. This does not work as you may expect when the user is part of multiple groups, I.e. the user will always be mapped to the same group (first or last in the list, not sure).
  Possible solution : remove the ldap attribute map, and configure dap rules that check the ldap.memberOf attribute instead
  Hth
  Herbert
  Sent from Cisco Technical Support iPad App - sorry for the brief explanation, if you need more details let me know.

• Seggregate Automated User provisioning using Access Policy-Diff Groups/Org

  Hello there,
  By default, the users that are created in OIM - via GTC/via self registration/via Administrator - they all get assigned to "All Users" group. Can we assign these users to a different User Defined group for e.g. "trialgroup", by default and Unassign the "All Users" group. If yes, how can we do that?
  This question is related to another question of mine:
  I want to avoid all the users that are being created in OIM system - to be all together provisioned to a single IT Resource in my case OID directly via Access policy which can be applied on individual group. I want to keep the system extensible for future purposes. And the only way to seggregate direct resource provisioning via access policy is by means of different "groups". So the solution that I could think of was to assign all the users that are being created currently (via GTC and via Bulk Load into OIM) to a separate group and assign an access policy to the group so that in future if any other resource comes into picture then the system can be extended by creating more groups and designing individual separate access policies for the same.
  Does this makes sense?
  Please provide your inputs! Any hints/suggestions/ideas are welcomed.
  TIA,
  - oidm.

  I am actually not very sure, what you want to achieve form the content of that post. If you mean that you would not want every user in OIM to be provisioned to OID automatically through access policy, then I am assuming that in that case you will aplly the access policy to the ALL_USERS group.
  Well I may be missing the flow of your question, but here is what you can do based on my understanding:
  1) Just forget ALL_USERS group. We can no nothing about it. Any User created will be a part of this group and you cannot remove a user from this group.
  2) In place of this what you can do is create another group, for instance trialgroup and make all users a member of this group as well. This would be simple to do. See next step. Use addMemberUser() API of addMemberUser interface.
  3) Create an Entity adapter with a javatask added, which takes an input of UserID, and assigns that user to this group (trialgroup) in OIM using above API. Attach this adapter to the post-insert trigger of the "Users" data object manager. (It also have another ootb Entity adapter which adds all the users to ALL_USERS group).
  4) Attach your access policy to this group.
  5) Now also you are free to extend your system by creating more groups and access policies. It shouldn't be a problem.
  Thanks
  Sunny

• Provision to target system via access policy

  I am attempting to provision to Active Directory via an access policy and membership rule in OIM11gR2.  I have a couple different issues associated with this process. 
  First,  I have a membership rule that works fine.  All members of a certain organization are automatically assigned a certain role.  My access policy is set to provision an AD account to any member that is assigned the same role from the membership rule.  This access policy does not seem to get triggered.  The access policy is set to run with no approval, retrofit access policy is enabled, and it is set as priority 1 with "revoke if no longer applies" checked.  It is also assigned the Active Directory Users process form.  I cannot determine why this access policy is not being triggered to provision the role members to AD.  I have manually run the Evaluate Users Policies several times with no affect. 
  I believe this may be happening because the default prepopulate adapters are not working or are not configured correctly.   The 5 mandatory fields each have a prepopulate adapter assigned to them with the Default rule.  Correct me if I am wrong, but I believe the mandatory fields user id, first name, last name, common name, and user principal name?  The Org name and IT Resource are set as static values within the access policy.  Can anyone assist me in determining (1) why the access policy is not working and (2) why the prepopulate adapters such as ADIDC Populate Form Field for User ID and ADIDC Prepopulate UserPrincipalName for User Principal Name are not working?  Is there additional configuration that must take place with these out-of-the box adapters so they know which values to populate?

  Just verify whether following are check in AD prcess Defn:
  Auto Save Form
  This check box is used to designate whether Oracle Identity Manager should suppress display of the custom form associated with this provisioning process or display it and allow a user to supply it with data each time the process is instantiated.If you select this check box, it designates that Oracle Identity Manager should automatically save the data in the custom process form without first displaying the form. If you select this checkbox, you must supply either system-defined data or ensure that an adapter is configured to populate the form with the required data (since the user will not be able to access the form).If you clear this check box, it designates that Oracle Identity Manager should display the custom process form and allow users to enter data into its fields.
  Auto Pre-Populate
  This check box designates whether the fields of a custom form that:
  Are associated with the process
  Contain fields that have pre-populated adapters attached to them
  Also, while running "Evaluate User Policy" , clear the old time stamp and populate it with current time. Sometime I have seen people are doing mistake.
  ~J

• Problem with Access Policy

  Hi All!
  OIM 11g:
  1. I have installed DBUM 9.1.0.4
  2. I have configured IT Resurce, and RO for granting user MS SQL User and database role (for example in HRData db)
  3. I have created Role named: "HRData DB User" and Access Policy named: "HR Data DB User" wchich grants correct RO.
  4. When role is granted by xelsysadm for specific oim user everything is OK.
  Problem:
  when user request for role: "HRData DB User" from Self-Service portal, and request is approved by xelsysadm, role is granted but RO is not granted. I have following error:
  +<Nov 19, 2010 1:12:46 PM CET> <Error> <XELLERATE.SERVER> <BEA-000000> <Class/Method+
  +: tcDataObj/eventPreInsert Error :Insert permission is denied>+
  +<Nov 19, 2010 1:12:46 PM CET> <Error> <oracle.iam.accesspolicy.impl.handlers.provis+
  ioning> <IAM-4030308> <An error occurred in oracle.iam.accesspolicy.impl.handlers.p
  rovisioning.ProvisionAccountActionHandler while provisioning resource 161 to user 4
  +3 and the cause of error is DOBJ.INSERT_PERMISSION_DENIED: H: You do not have permi+
  ssion to insert this object..>
  +<Nov 19, 2010 1:12:46 PM CET> <Warning> <oracle.iam.callbacks.common> <IAM-2030081>+
  +<[CALLBACKMSG] Inside completion plugin for request 68.>+
  +<Nov 19, 2010 1:12:46 PM CET> <Warning> <oracle.iam.callbacks.common> <IAM-2030082>+
  +<[CALLBACKMSG] Inside completion plugin for request 68, target tye is Role and ope+
  ration is SELFASSIGNROLES.>
  +<Nov 19, 2010 1:12:46 PM CET> <Warning> <oracle.iam.callbacks.common> <IAM-2030082>+
  +<[CALLBACKMSG] Inside completion plugin for request 68, target tye is RoleUser and+
  operation is CREATE.>
  Any suggestions?
  best
  mp

  Hi Rajiv,
  So, there is no way we can implement this?
  My requirement is same as this,
  OIM: Question about "Auto Save" option on Resource Object
  I have a Resource Object that needs to be provisioned at least two ways:
  1) thru an access policy by group membership
  2) thru user self-request, who is not already in that group membership
  The problem is if I don't check the "Auto Save" check box the automatic assignment thru access policy is not completing and If I do check the check box then user request is not letting the user to enter values into the resource form. Instead it is directly going to submit request. Looks like these are mutually exclusive.
  Is there a way to make both work on the same Resource Object?
  Thanks
  SK