OAM 10g - obmygroups and nested dynamic groups

I've run into an issue with the obmygroups header action in OAM 10g, and I'm not sure whether this is by design or not.
The obmygroups will return static and dynamic group names for which the user is a member, and it will return static groups that contain nested static groups where the user is a member of the nested group. However, it doesn't seem to static groups with nested dynamic groups where the user is a member of the nested dynamic group.
Is that by design? Is there any way to nest dynamic groups so that obmygroups will return the parent group name? I'd like to have a group that contains both nested static and nested dynamic groups, and have the obmygroups action return the name of the parent group.
Thanks,
Matt

Return Attribute Action in authentication or authorization rules
obmygroups:<ldap_url> special attribute returns those groups to which the user belongs that also satisfy the criteria <ldap_url> filter specifies.
EX: "obmygroups:ldap:///cn=Groups,dc=myorg,dc=com??sub(group_type=role) returns all the groups in cn=Groups,dc=myorg,dc=com tree for which the logged-in user is a member and the group_type is role.
For more information check OAM Access Administration Guide

Similar Messages

  • Configuration of oim 10g and oam 10g.. and integrating oam10g with oid

    Hi..
    i am trying to configure OAM10g and OIM10g and integrate OAM10g with OID..
    please send me the documents if any had...
    Thanks & Regards,
    avinash

    For integrating OIM 10g with OAM 10g, refer doc below:
    http://docs.oracle.com/cd/E14899_01/doc.9102/e14761/oamsso.htm#sthref78
    For OAM and OID integration refer:
    http://docs.oracle.com/cd/E15217_01/index.htm
    regards,
    GP

  • URGENT: OAM 10g server and webgate certificates query

    Hi experts,
    There is an OAM 10g environment. OAM Access Server and Identity Server is installed and up and running. OAM servers are in CERT mode. So to install webgates residing in different machines from OAM servers, can we use the same OAM Access Server certificates for WebGate certificate while installing WebGate?
    Thanks
    IDM Team.
    Edited by: 898990 on Mar 13, 2013 1:38 PM

    Figured it out. The OAM proxy (AccessServerConfigProxy @port 5575) for 10g webgates was configured to listen in cert mode. I had to switch it to open mode. Not sure how it got switched, but got the webgate install going for now. Thanks.

  • 10.5.1 update and nested Smart Groups

    After installing the 10.5.1 update, it seems that my address book smart groups no longer "nest" properly within regular address book groups.
    Example: I have several smart groups built with rules like "email contains company X", these smart groups have all been added to a group called "work". It seems like the "work" group no longer recognizes members of smart group "Company A". For example, an email addressed to "work" does not include any company A members. Also, Mail.app rules based on "sender is a member of group "work".
    I've tried rebooting, re-importing my original address book, and deleting existing address book contents and rebuilding groups from scratch.

    I am able to launch FCE 3.5.1 on 10.5.1 without issues.
    You may want to trash your FCE preferences (~Library/Preference/...), if you haven't already tried that, as they may have been corrupted.

  • NCM Dynamic Groups

    We are currently runing CiscoWorks Network Compliance Manager 1.3.SP2 (Build 4755-070308) and our dynamic groups are limited by 10 "Search  Criteria" and because some of the devices dont follow the same naming standard and NCM is case sensitive I am having issues getting all the correct devices into the correct groups.  Is there a way to use linux grep commands to add devices to groups?  I see NCM has a command line but it does not appear to allow any type of grep or regular expression commands.

    Hey josephenix, it sounds like you have a very reasonable need and use.  Be aware that dynamic groups do require higher CPU resources because of the need to process conditional logic on the device inventory.  I would think that having 10 conditional rules puts you at the extreme case.
    I can appreciate your need to have the inventory dynamically updated as multiple users are adding/changing things.  However, you might be negatively impacting normal use with your current process.
    I might suggest this...
    Using the method I described earlier, connect to the NCM proxy and issue a 'list device" - this will get you a list of all devices in inventory - put this into an array.  Iterate over the array and send each into a query for the NCM proxy with command "list groups -type device -host $DEVICENAME" - this will show you the device groups the device is in - this can go into another array.  You can use your Linux grep commands to determine if it's in the right group.  Then use the 'add device to group' command we discussed earlier, if it isn't in the right group.
    You could automate/cron this to run once every 2 hours or so.  This would allow you to programmatically map devices to static device groups and get the benefits of performance with that, but still allow you some flexibility in dynamic naming...
    I hope that helps!

  • Administration group vs Dynamic group in 12c

    Hi All,
    I was going thru 12cR2 documentation, and description for Administration group and Dynamic group looks same to me.
    Do any one of you know what's the real difference between them?
    Any one of you started using this new feature in 12c?
    Thanks in advance....

    Hi,
    Administration groups and dynamic groups are similar in that their membership is dynamic, i.e. you specify the membership criteria based on target properties, and Enterprise Manager will automatically add the targets into the appropriate administration group and/or dynamic group(s) if the targets' properties match their criteria.
    However, administration groups have additional semantics. As it is mentioned in the doc: "Administration groups greatly simplify the process of setting up targets for management in Enterprise Manager by automating the application of management settings such as monitoring settings or compliance standards. Typically, these settings are manually applied to individual target, or perhaps semi-automatically using custom scripts. However, by defining administration groups, Enterprise Manager uses specific target properties to direct the target to the appropriate administration group and then automatically apply the requisite monitoring and management settings. This level of automation simplifies the target setup process and also enables a datacenter to easily scale as new targets are added to Enterprise Manager for management."
    So you use administration groups primarily to automate the process of setting up your targets for monitoring/management. Once a target joins an administration group, then Enterprise Manager automatically applies to the target the monitoring templates and/or compliance standards and/or cloud policies that you have associated with your administration group. Because of this feature, a target can belong to at most one administration group. This is to prevent conflicting scenarios where a target is part of multiple administration groups that have different associated monitoring templates.
    Both dynamic groups and administration groups support group operations -- running jobs, reports, etc.
    So if you want to leverage the automation of target setup provided by administration groups/template collections... then use administration groups.
    If you want to leverage the dynamic membership of groups and have requirements that a target needs to be part of multiple of such groups, use dynamic groups.
    Regards,
    Ana

  • Dynamic Groups in OAM

    Hi,
    Can we configure dynamic gruops in OAM, if yes, please let me know the steps to perform it.
    I have created a workflow for dynamic groups, but after doing dat, when i try to create a group, is says "You dont have permissions to perform this action".
    Thanks in advance
    Rashi

    Yes, you can create dynamic groups through OAM.
    Whatever your structural group objectclass (typically groupOfUniqueNames), OAM will allow you to create objects of this type via Group Manager Create Group Workflow.
    My suggestion, based on your post, is to first confirm that you can create a workflow that will allow you to create a simple groupOfUniqueNames object. Sounds like your workflow was not enabled or you were not a valid participant in the initiate step.
    To reach your goal, you need to configure Group Type Panels (poorly documented today). This allows you to define other 'types' of groups based on the inclusion of auxiliary objectclasses.
    Create two group type panels: Call the first one BASIC GROUPS and associate it with the groupOfUniqueNames structural objectclass. Create a second group type panel and call it Advanced Groups and associate with oblixAdvancedGroup auxiliary objectclass.
    With these configured, proceed to define a Create Group workflow. As you do, you will notice a change to the user interface to include a checkbox for 'Advanced Groups' (which comes from the name you gave your group type panel). Checking this before proceeding into the workflow applet has the effect of giving you access to the attributes of the oblixAdvancedGroup class. This is where you find the oblixDynamicFilter and other useful attributes.
    Use Group Type Panels to provide appropriate inclusion for any other aux classes that you require to build the type of group object that you need.
    I hope that is enough to get you going in the right direction.
    Cheers,
    Mark

  • SQL Query for members of dynamic group - Need to include Name, Path and Type

    Hello,
    I built a custom dynamic group that has all my SQL databases in it using SCOM 2012 SP1.  The group works fine as I can see the Name(ie, Database name), Health State, Path (ie, hostname/instance) and Types (ie; SQL 2005).  Now I'm trying to
    build a custom report based off this same information using a SQL query.   I'm no DBA and could use some help.  So far this is what i have
    use
    select
    SourceObjectDisplayName as
    'Group Name',
    TargetObjectDisplayName,TargetObjectPath
    from RelationshipGenericView
    where isDeleted=0
    AND SourceObjectDisplayName
    like
    'SQL_Databases_All'
    ORDERBY TargetObjectDisplayName
    This gets me the Group Name (which i really don't care about), database name, and hostname/instance. What I am missing is the Health State and most importantly the Type (ie, SQL Server 2005 DB, SQL Server 2008DB).
    If someone could assist me here I would appreciate it. I believe I need to do some type of INNER JOIN but have no idea where the SQL type info lives or the proper structure to use. Thanks
    OperationsManager

    Here's the updated Query for OpsMan 2012 R2:
    To find all members of a given group (change the group name below):
    select SourceObjectDisplayName as 'Group Name', TargetObjectDisplayName as 'Group Members' 
    from RelationshipGenericView 
    where isDeleted=0 
    AND SourceObjectDisplayName = 'Agent Managed Computer
    Group' 
    ORDER BY TargetObjectDisplayName

  • Row Level Security using BO SDK - Dynamic Group and Criteria (where clauses)

    To the Universe Gurus out there:
    I have a rather daunting task of implementing a Row Level Security on a number of tables within our project using BO XI R2 SP2 with SQLServer 2005. Given the nature of the requirements around this (listed below), I am going to go with BO SDK to accomplish the creation of Restrictions. That said, I need some insight into some of the problem areas I have listed below. Any help is much appreciated.
    Background:
    We have 11 tables that are to be restricted.
    Each table is accessible to potentially 1..* group of users only.
    For eg SALES is accessible to ALL_SALES members only.
    Each row within each table is accessible to 1..* groups of users only. The restriction will occur on 2 columns Jurisdiction and LineID on SALES table.
    For eg
    1)Rows with NY Jurisdiction and LineID=123 are accessible to NY_SALES_ADMIN group only initially.
    2)NY_ADMIN will then approve that the above rows be open to NY_SALES_INTERNAL group only. This approval in turn will call upon the BO SDK to add a new restriction for the group with appropriate where clause.
    3)At a later point, the above rows will be opened to NY_SALES_EXTERNAL group also.
    This same concept holds good a number of jurisdiction (more or less static) and a dynamic number of LineIDs. So, if 10000 rows of data corresponding to new LineID 999 and Jurisdiction AK are in the table now, they are initially accessible only to AK_SALES_ADMIN group only. No one else should be able to access it.
    Results:
    1) With the way I laid out the business rules above, I am ending up with 528 groups.
    2) There is a restriction created for a unique combination of Jurisdiction and LineID for each table.
    Problems/Questions:
    How can I restrict access to the new rows to one group only. I know that I can let a certain group only look at certain data but how can I restrict that all others cannot look at the same.
    AK_SALES_ADMIN can look at LineID=999 and Jurisdiction='AK'.
    Do I use an Everyone group based restriction? If so, my Everyone group will end up with tons of restrictions. How will they be resolved in terms of priority.
    Am I even thinking of this the right way or is there a more noble way to do this?
    Regards

    the connectinit setting should look something like this:
    declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
    The vpd_setup procedure (in Oracle) should look like this:
    CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
    BEGIN
      DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
    END vpd_setup;
    Then you can retrieve the value of the context variable in your vpd functions
    and set the vpd.

  • How to create checkbox group and table dynamically?

    HI All
    How to create checkbox group and table dynamically?
    Regards
    Ravi

    hi
    check this links for creating  tables dnamically
    How to Create a table dynamically?
    Re: how to create a table dynamically in webdynpro
    and for checkboxgroup
    IWDTransparentContainer rootContainer =
    (IWDTransparentContainer)view.getElement("RootUIElementContainer");
    IWDCheckBox check = (IWDCheckBox)view.createElement(IWDCheckBox.class,"Check"+k);
    //Here "check"+k k represents a unique value every time u create so that u wont get a duplicate instance
    check.setChecked(false);
    rootContainer.addChild(check);
    or Re: adding checkboxes dynamically

  • Using Dynamic Groups in Ldap for Accounts and Roles

    Does anyone currently use dynamic groups in LDAP for accounts and roles? I have set up a dynamic group in ldap (we are using OID Oracle internet Directory 10.1.2.0) , ldapsearch returns the correct list of unique names, but the account does not appear on my profile page when I log in to UCM (10.1.3). I cannot find any documentation so I'm asking myself if it is supported .....

    Thanks tim ... will check, but Oracle are saying :
    Oracle Universal Content Management - Version: 7.5.1
    Information in this document applies to any platform.
    Product: Content Server
    Version: 6.0
    Goal
    Can the Content Server's LDAP provider support, or can it be configured to support, dynamic LDAP groups?
    Solution
    The Content Server by itself is unable to process dynamic LDAP groups since the filter that is used cannot read dynamic groups. However, dynamic groups can still work in the Content Server if the permissions for the queried user are generated on the LDAP server side. For example: Novell and Active Directory both have this functionality.
    to which I have replied you suport 3rd party ldaps, but not your own? Shurely shome mishtake ..... if ldap search works in a seamless way, surely provider should too ....
    Billy, you may well be right, just got a cashflow problem over here !

  • Dynamic Groups in LDAP and Calendar

    Folks,
    I have defined a dynamic group in LDAP. I would like for that group to be invited to an event. When I add an event and search I find the group. When I check the group and click 'OK' it doesn't show the group as invited. When I search again, it says the group is included but no one is invited.
    Also, how do I protect a group from being used by anybody???
    keith

    Thanks tim ... will check, but Oracle are saying :
    Oracle Universal Content Management - Version: 7.5.1
    Information in this document applies to any platform.
    Product: Content Server
    Version: 6.0
    Goal
    Can the Content Server's LDAP provider support, or can it be configured to support, dynamic LDAP groups?
    Solution
    The Content Server by itself is unable to process dynamic LDAP groups since the filter that is used cannot read dynamic groups. However, dynamic groups can still work in the Content Server if the permissions for the queried user are generated on the LDAP server side. For example: Novell and Active Directory both have this functionality.
    to which I have replied you suport 3rd party ldaps, but not your own? Shurely shome mishtake ..... if ldap search works in a seamless way, surely provider should too ....
    Billy, you may well be right, just got a cashflow problem over here !

  • OID Dynamic Groups and J2EE security roles

    Hi
    I've searched the forums but can't get a definite answer. Is it possible to use OID dynamic groups and map them to J2EE security roles? I can't find anything that says specificially not but I can't seem to get it to work.
    Thanks
    Adam

    Hi,
    Let me know if you find answer of your question.
    thanks

  • OIM 9.1 and OAM 10g integration document

    Hi,
    Could you please provide me any link or document for OIM 9.1.0.2 integration with OAM 10g ?
    Thanks
    Sandy

    Best Practices Document:
    http://download.oracle.com/docs/cd/E14899_01/doc.9102/e14761/oamsso.htm#sthref78
    Within OIM, once you have configured OAM to pass a header variable, it's just 2 parameters that change in the OIM xlconfig.xml file.
    -Kevin

  • ACI and dynamic groups

    I can't seem to get dynamic groups working. Here's my dynamic group setup:
    ldapsearch -D "cn=directory manager" -w "passwd01" -b "ou=internal,dc=example,dc=com" "objectclass=groupOfUrls"
    version: 1
    dn: cn=istest,ou=Groups,ou=internal,dc=example,dc=com
    cn: istest
    objectClass: top
    objectClass: groupOfUrls
    ou: Groups
    memberURL: ldap:///ou=people,ou=internal,dc=example,dc=com??sub?(uid=user1)
    I know for sure user1 exists:
    ldapsearch -D "cn=directory manager" -w "passwd01" -b "ou=internal,dc=example,dc=com" "uid=user1"
    version: 1
    dn: uid=user1,ou=people,ou=internal,dc=example,dc=com
    objectClass: shadowAccount
    objectClass: posixAccount
    objectClass: account
    objectClass: top
    loginShell: /bin/bash
    uidNumber: 3000
    homeDirectory: /home/user1
    gecos: User1
    cn: User1
    gidNumber: 500
    uid: user1
    When I run a search, I get nothing:
    ldapsearch -D "cn=Directory Manager" -w passwd01 -b "ou=internal,dc=example,dc=com" "(isMemberOf=cn=istest,ou=Groups,ou=internal,dc=example,dc=com)"
    Directory Server version: 6.3
    Using /usr/bin/ldapsearch on solaris 10.
    My main objective so to use dynamic groups to setup some ACI. eg: allow user w/ attribute gidNumber=400 full read/write.
    mike

    ismemberof only works for static groups.
    My main objective so to use dynamic groups to setup some ACI.
    eg: allow user w/ attribute gidNumber=400 full read/write.Have you considered using filtered roles ?

Maybe you are looking for