ISE Admin Menu Access Policy and Network Resources

Similar Messages

• In Cisco IronPort WSA, what is the difference of an Access Policy, and an Identity?

  Hi Everyone,
  I am currently setting up a custom access for a particular subnet.
  What I did is to create a new identity for them, then allowed only specific URL categories for them. Note that the subnet is already allowed to access the internet through Global access policy.
  What will be the difference if I rather created a new Access Policy for the subnet?
  And technically, what's the difference of an Access Policy and an Identity?

  This was not my question. I asked if using the Marginal in Printing will you have a frame around the image?
  I think you're confused about which thread you are posting to.  "Wully bully" started this thread by asking about identify plates and watermarks, and I replied to Wully bully's post.
  Nevertheless, your question too about printing is best asked in the main LR forum, not here.

• Access Policy and Resources -11gR2

  Hi all,
  I have create an Access policy in 11gR2, its working fine and as per requirement the Resource is getting provisioned / revoked properly.
  In *11gR1* resources provisioned through the Access policy were used to be displayed / listed in the User's Resources tab, In *11gR2* the resources provisioned by Access Policy are not being displayed / listed in under the Accounts tab. is it the default behavior of 11gR2? or some bug? or I need to make any configurations to have it displayed here?
  Regards

  nothing special has to do for showing under Accounts tab. Have you created *'Application Instance'* for the Resource. You have to create Application Instance and run the "catalog sync' job. and once Application Instance is provisioned to user. It will be available under Accounts tab.
  Follow 11gr2 doc for creating application instance
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/resmgt.htm#CBBFAIEC

• Access Policy and Process Task

  Hi,
  I created "access policies" to provision resources when a user is associated with a role with the name of this resource.
  When I manually assign the role, the access policy works properly and the resource is provisioned.
  When the role is assigned through a process task, the access policy does not work properly and the resource is not created.
  Why this happens?
  How can I make the process task trigger the access policy when assign the role?
  TKS
  Edited by: raraujo on Oct 15, 2012 3:36 AM

  Better assign Role using group membership rule. Also, can you check if role is assigned using process task, is it getting assigned to user properly?
  Which OIM you are using? If it's 11.1.1.5 then apply BP03 patch or BP04 patch.
  regards,
  GP

• Forms and Network Resource

  I have made several forms using Adobe 9 and distributed them.  Most often I get a message in the Tracker that says "you do not have access rights to this network resource".  Is Acrobat.com considered a network resource?  If so, then how do I change my settings?  When the error message appears, I cannot ever stop collecting information or delete the message.  Help!

  Finally, someone else who has had the same experience!  I was finally able to get a bunch of me error listings in the Tracker deleted.  I have an alternate email account.  I went into Acrobat.com and "shared" the files giving the error posts with that email.  Then went into the alternate email, put in some bogus information, and hit the submit button.  Later I went back into Tracker and was able to remove the response form the list.
  This method did not work for all of the postings.  I had three that had been emailed instead of diseminated via Acrobat.com, and those postings have not been able to be deleted yet.  But at least a chunk of the junk is gone.
  After trying to get some answers on some tricky problems, I get the distinct impression that Adobe is just so darn big, with so many different facets, that it is practically impossible for any tech to have knowledge of how all the different programs work together.  Either that or ya just have to suck it up and either pay the big bucks to get more in-depth professional help, of get lucky, like I did with this fix.
  Pretty darn hard to get work done when ya have to spend valuable time fereting out solutions to problems that should never have popped up, eh?

• Accessing servers and network from home

  I am a computer teacher and would like to know if it is possible to access our server and network from my home. I am the administrator. We use the xserve raid and I have 4 of them. I do have remote desktop as well. Thanks in advance for your help.

  Hi mrsraz-
  One way is through ARD: About Apple Remote Desktop 3.1
  For security reasons you will want to connect via VPN. This document has good information and helpful links: Server Admin 10.4 Help: VPN Service Overview
  Luck-
  -DaddyPaycheck

• Fair Access Policy and Ipod...I Need Help!!

  I am having such trouble getting videos to download to my Ipod. I use Direcway for my internet service and they have some policy that only allows a certain amount of download time (169mg in 4hrs?) called Fair Access Policy..its a bunch of crap if you ask me..http://www.copperhead.cc/fap.htm
  So anyhow..I have been trying to down load the first part of Lost for 5 days now and it gets almost to the end and I get a error code -39 and it stops everything. I don't know what else to do. I called direcway and they said to download a download messenger?? does something like this work with Ipod?
  Also, I have purchased songs that are in line for download and I can't get them to download cause I can't get them past the Lost download...
  I really don't know what to do..
  Does anyone know how to stop the start of Lost so I can get the songs that are in line??
  Thanks and I hope this wasn't to confusing..
  Kathy

  First you will need to install iTunes if you have not already.
  Second to reset the iPod back to factory settings you will need to connect the iPod to the computer then open iTunes. In iTunes select the iPod and goto the Summary tab which should be the first one to open. Below the Check for Update button click on Restore. This will reset the iPod back to factory settings so you can start fresh.

• Want to Access local and Network

  Hai
  I am doing an Application with XML in Local, and i have
  multiple link buttons to Relevant sites
  My application files are in Local and XML also in local
  folder
  When i click the link button , Flash player not permitting to
  access links. I wnat to change global settings in Adobe
  When i put them in server it works fine
  I have compiled the application with compiler argument
  -use-network=false
  If i change that to -use-network=true i can access to weblink
  , but i cant get data from local folder My flex application is
  Blank
  I also tried by setting system.security.allowdomain("*")
  and all security options
  when i trace sandbox type it says "localTrusted"
  I have an idea of changing configuration file in Flash player
  #security folder, I tried and it works fine. but my client thinks
  it is little tough.
  I need help to overcome this . Can any please help me .
  I wnat to access data from Local folder and Want to Link to
  Web.
  My application is in Local Harddrive
  Thanks
  Murugan

  You cannot easily do this. If your app is delivered via a web
  domain, then you cannot access both network and local assets.
  The only way to do what you ask is to physically install the
  application in a trusted folder.
  See this doc:
  http://livedocs.adobe.com/flex/2/docs/00001953.html
  and this for details on hot to set it up:
  http://livedocs.adobe.com/flex/2/docs/00001952.html
  Tracy

• OIM 11g R2 - AD provisioning based on Role and Access Policy

  Hi, for Active Direcotry integration i used some prepopulation plugin for populationg resource form (based on http://fusionsecurity.blogspot.sk/2013/01/populating-request-attributes-in-oim.html).
  It's work fine - requested account was fully provisioned.
  Can i use this plugins for Role based provisioning?
  I try to create access policy and associated role but when attached the role to the user and run Evaluate User Policies Job, account can't be provisioned.
  In diagnostic.log i found.....
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Immediate consequences are returned with event - InitiatePolicyEvaluationAndProvisioning
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Next Waiting child process is ..........6380 sync = false
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] First Waiting child process is ..........6380
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel executing default validation with process id, event id, entity and operation 6,380.0.Resource.ACCESS_POLICY_BASED_PROVISION
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel completed the child orchestration - 6380.6379
  [oracle.iam.platform.kernel.dao] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Inserting records for orchestration cleanup
  [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Completed orchestration with action result - 113

  Hi, all
  I try to fill Access policy Process Form. Account request was created and provisioned when field AD Server and Organization Name was filled in, but pre-population plugin doesn't fired
  The question is.... How can i use pre-population plugin for populating request dataset used with request generated by access policy....
  Is it possible to use plugins for requests generated based on access policy?
  a.

• OIM iPlanet Resource revoked using access policy

  Hi,
  I had created a group and access policy based upon which i tried to provisioned a iplanet resource to a user.
  For this I had created a UDF(say type with value C) and created a rule based on which user is assigned to group say business and also iPlanet resource is provisioned to user
  As I Edit the profile and clear UDF. User is removed from group and also iPlanet resource is revoked.(In Access Policy revoked if no longer applied)
  I am able to do this task Successfully But If iPlanet resource is already allocated to user and I update the UDF(value C) user is assigned to group and iplanet is already assigned to user(muliple resource UNTICK). and now if i again Updated the UDF(mean clear it) user is removed from the group but iPlanet resource is not revoked from the user......
  Can somebody tell me why it is happening??? wheather its a bug in OIM or I am missing something...
  Thanks
  Anil

  If I understand your requirement correctly, when you change the value in process form edit from C to other, iPlanet resource is getting revoked.
  But when you change the the same value from user profile edit, the iplanet is not getting revoked right?
  As per my knowledge I can say, when you update the value for UDF in user profile, you can use triggers USR.TRIGGERS which will update the process form. In this case your process form will gets updated by default.
  This in turn triggers access policy and revokes the resource.
  Hope this helps you

• Provision Entitlements using Access Policy in OIM & OIA

  Hi All,
  Access policies in OIM does not allow entitlements definition in it such as defining the AD Groups that needs to be attached to the account which would be provisioned on the target resource when the access policy gets triggered. These entitlements definition in OIM is taken care on the Process Form level, whereas in case of OIA the Provisioning polices allow entitlements definition according the resource type in the policy level. It would be of great help if you could help us in understanding how the import and export of access policy data between OIA and OIM would be feasible with these differences in place
  Appreciate any helpful pointer on this.
  Thanks,
  RPB
  Message was edited by: RPB25

  You can edit the Access Policy, select the Resource added-Provide more information, If it has a child table, you can add entitlement to it. you can also add entitlement while exporting OIA policies using accesspolicy api of OIM. But just chek after importing to OIM, the access policies order will be messed.
  sjit

• OIM Access Policy dilemma

  I have a need to use an Access policy for basic account creation but still have a Request workflow for enhanced privileges. The Access Policy needs the Resource and Process forms to both be Auto Pre-populate and auto save. This seems to be a conflicting requirement by the way I understand OIM. Any thoughts on a good work around?
  Kerry

  What version of OIM are you using? And have you made any changes to the web client? (particularly xlWebAdmin.properties, struts-config.xml or the class files?)
  Deborah

• Provision to target system via access policy

  I am attempting to provision to Active Directory via an access policy and membership rule in OIM11gR2.  I have a couple different issues associated with this process. 
  First,  I have a membership rule that works fine.  All members of a certain organization are automatically assigned a certain role.  My access policy is set to provision an AD account to any member that is assigned the same role from the membership rule.  This access policy does not seem to get triggered.  The access policy is set to run with no approval, retrofit access policy is enabled, and it is set as priority 1 with "revoke if no longer applies" checked.  It is also assigned the Active Directory Users process form.  I cannot determine why this access policy is not being triggered to provision the role members to AD.  I have manually run the Evaluate Users Policies several times with no affect. 
  I believe this may be happening because the default prepopulate adapters are not working or are not configured correctly.   The 5 mandatory fields each have a prepopulate adapter assigned to them with the Default rule.  Correct me if I am wrong, but I believe the mandatory fields user id, first name, last name, common name, and user principal name?  The Org name and IT Resource are set as static values within the access policy.  Can anyone assist me in determining (1) why the access policy is not working and (2) why the prepopulate adapters such as ADIDC Populate Form Field for User ID and ADIDC Prepopulate UserPrincipalName for User Principal Name are not working?  Is there additional configuration that must take place with these out-of-the box adapters so they know which values to populate?

  Just verify whether following are check in AD prcess Defn:
  Auto Save Form
  This check box is used to designate whether Oracle Identity Manager should suppress display of the custom form associated with this provisioning process or display it and allow a user to supply it with data each time the process is instantiated.If you select this check box, it designates that Oracle Identity Manager should automatically save the data in the custom process form without first displaying the form. If you select this checkbox, you must supply either system-defined data or ensure that an adapter is configured to populate the form with the required data (since the user will not be able to access the form).If you clear this check box, it designates that Oracle Identity Manager should display the custom process form and allow users to enter data into its fields.
  Auto Pre-Populate
  This check box designates whether the fields of a custom form that:
  Are associated with the process
  Contain fields that have pre-populated adapters attached to them
  Also, while running "Evaluate User Policy" , clear the old time stamp and populate it with current time. Sometime I have seen people are doing mistake.
  ~J

• 8.0.6-119 on S160 can no longer see past the second access policy

  We upgraded an S160 to 8.0.6-119 today and now the appliance is not authenticating groups beyond restricted internet and information technology.  For example Access Policy #6 is called Marketing.  It has access to Streaming Media and Social Media (like youtube, facebook, twitter).  They are the marketing department that needs this access to do their job.  The identity policy is authenticated_users but it keeps falling under the last access policy "Global Access Policy" which results in request blocked based on URL category.
  I just don't get it.  Authenticated Users is selected to windows realm which the wsa joined to the domain and has 3 DC's and a CDA virtual appliance tied to it.  I don't see that being the issue because the policy trace correctly brings back all AD groups the user is tied to.  The scheme is Use Kerberos or NTLMSSP.  
  Next under access policies there are 14 of them before the global policy.  They are all authenticated users and pointed to the proper active directory groups.  Marketing is 6 out of 14 (not counting the non-numbered Global Policy at the bottom).
  So what could the issue be?

  I opened a case with TAC but have not heard back.  However it seems things are working now.  Perhaps they contacted in and corrected an issue but haven't had the chance to tell me what they did.  I have remote access enabled for Cisco TAC.
  Now when I do the policy trace, It actually applies the Marketing access policy, and AVC actually see's this is Facebook General (Facebook) in this case.  Before I think it said none for everything and access policy was global.

• How to Apply a Newly Created Access Policy on Existing Users in OIM????????

  How to Apply a Newly Created Access Policy on Existing Users in OIM?
  When the rule is getting failed the user is getting removed from the group but resource is not getting revoked. This is happening only for the old uses..for the users which i created now it working fine..i mean its resource is getting revoked.
  (Retrofit access policy" is checked on the Access Policyand Revoke if not longer applied is checked.)
  For the old users i see the POl_Key is null, for new users i see a value '10'. So i updated the pol_key for old users same as it got generated for new users '10'.
  i even updated the form version too but still revoke doesn't work.
  I cant go for the below approach..
  In order to apply a newly created Access Policy on existing users, one has to make sure that:
  1) "Retrofit access policy" is checked on the Access Policy.
  2) Then run the "Set User Provisioned Date" Schedule task to apply the Access Policy on the existing users in OIM.
  Note: After 9.1.0.1 BP03 the access policy execution has been moved to a new scheduled task "Evaluate User Policies" as mentioned inDocument 839368.1 :How to Use Access Policies to Provision with Groups.
  Is there any other approach i can try.. if you have any idea please reply me asap
  Thanks..

  Thanks for the reply kevin..
  We decided to try the Schedule task (Set User Provisioned Date).
  But i see one problem here after seeing this post in metalik --> Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation? [ID 1136540.1]
  According to this post Access Policies framework does not manage users who are obtained either through trusted reconciliation or target reconciliation.
  Is there any custom way to achieve this??
  How does the access policy framework revoke resource work? (revoke if no longer applies)??
  Edited by: IDMuser19 on Jun 21, 2011 11:43 PM