OIA Policy Creation

Similar Messages

• LC Rights Management End User can not find groups or users during policy creation process

  hello,
  I'm using LC8.0.1 turnkey install on win2003 box.
  Problem is LC Rights Management End User can not find groups or users (search result is empty) during policy creation process, thus can not apply specific restriction to certain groups or users.
  I have create a user in the DefaultDom and assigned the following roles:
  Live Cycle Rights Management Invite User
  Live Cycle Rights Management End User
  How can I allow the above created user to search for groups and user during policy creation? Thanks.

  Good catch Phuc. Make sure you do this for each Policy Set as well as My Policies.
  Here's an overview of Policy Sets:
  http://blogs.adobe.com/security/2008/04/delegating_control_over_policy.html
  Cut and paste the URL.

• Entitlements Server Policy Creation

  Hi
  Can any one please tell me whether the following cases are feasible
  Do the users need to be existing physically in DB(Admin Server) before creating a policy for the respective user ??
  (we were actually looking to for creation of policy with the userName by using a LDAP -- Question is whether the administration server sync up with the LDAP? )
  If there is any workaround or any earlier discussion on this please forward me
  Thanks
  Kish

  :/opt/SUNWappserver/domains/domain1/applications/j2ee.apps/epcis/-
  this should be j2ee-apps.
  i take it you rebooted the server then

• AttributeValuePair settings for Subject of Policy Creation

  Hi,
  I am trying to create policies using the command line tool amadmin. At this point I can create the policy with the desired rule but the subject isn't created properly.
  I am using Identity Server 6.1 on Solaris 9 and Directory Server 5.2 on a different Solaris 9 box.
  When I run asadmin, the user is authenticated and the policy is created. The policy consists of both a rule and a subject. The subject has the desired type LDAP Group but no groups are showing up (so it's essentially an empty subject of the right type).
  I think this may relate to an incorrect value that I'm filling into the Attribute element under the Subject. I have not been able to find any documentation about what this value should be and so I've been guessing with no luck. Here is my XML file (values bounded by underscores have been subbed in for security):
  <?xml version="1.0" encoding="ISO-8859-1"?>
  <!--
      Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved
      Use is subject to license terms.
  -->
  <!DOCTYPE Requests
      PUBLIC "-//iPlanet//Sun ONE Identity Server 6.1 Admin CLI DTD//EN"
      "jar://com/iplanet/am/admin/cli/amAdmin.dtd"
  >
  <!--  CREATE REQUESTS -->
  <Requests>   
       <OrganizationRequests DN="_basedn_">
            <CreatePolicy createDN="_basedn_">
                 <Policy name="<my_policy>" referralPolicy="false" >
                      <Rule name="my_rule">
                           <ServiceName name="iPlanetAMWebAgentService" />
                           <ResourceName name="_resource_" />
                           <AttributeValuePair>
                                <Attribute name="GET" />
                                <Value>allow</Value>
                           </AttributeValuePair>
                           <AttributeValuePair>
                                <Attribute name="POST" />
                                <Value>allow</Value>
                           </AttributeValuePair>
                      </Rule>
                      <Subjects name="my_subjects" description="">
                           <Subject name="my_subject_1" type="LDAPGroups">
                                <AttributeValuePair>
                                     <Attribute name="?????" />
                                     <Value>_full_dn_</Value>
                                </AttributeValuePair>
                           </Subject>
                      </Subjects>
                 </Policy>
            </CreatePolicy>
       </OrganizationRequests>
  </Requests>One thing I've noticed is that changing the text of the value from the full dn of the LDAP group to gibberish has no effect on debug or verbose output. I'm not getting any errors at all from -v or -d, it just isn't putting the LDAP group into the policy.
  Thanks for any help, I'm not sure what to do here.
  Dave.

  Try this:
  <Subjects name="my_subjects" description="">
  <Subject name="my_subject_1" type="LDAPGroups" includeType="inclusive">
                                <AttributeValuePair>
                                     <Attribute name="Values" />
                                     <Value>fulldn_</Value>
                                </AttributeValuePair>
                           </Subject>
  </Subjects>

• ISE policy creation question - best practices

  Ok, I am a rookie ISE user here and am trying to learn as I go. I have a 802.1x policy for our corporate users on both wired and wireless and a wireless guest policy that redirects to the guest portal to enter credentials created in the sponsor portal. The corporate user has access to corporate resources and the guest basically has access to just the internet.
  I need to make what I am calling a Vendor policy that is basically a hybrid of the corporate user and the guest user. These would be vendors that are on-site to assist with programming and need access longer than what the guest account can be created for. This would also have specific ACLs that grant them access to the specific resources they would nee. I would like to tie this into AD authentication since they have an AD account created to be able to access those corporate resources in most cases. My first question is do I have a single policy that is tweaked as vendors come and go or do I simply create a specific policy for each vendor? My second question is do I or should I create unique SSIDs for each vendor?
  As I said I am just now getting into getting ISE configured. I am just not sure of what is considered a best practice or what is considered a secure way to may things happen. In regards to the policies I have created, they work but I think I have a couple holes to address.
  Thanks ...
  Brent

  Mostly makes sense. I have the AD part just need to get an AD group created for my test subject.
  I created an Endpoint Identity Group to place the vendors devices into so that we can allow laptop to connect but not phone. Got that.
  I think I can handle the Authorization Profile. It will be something like if VendorAsset and AD1:ExternalGroups Equals VendorADGroup then VendorPermissions. VendorPermissions would be the ACL that limits where they can go. I also need to create a non 802.1x based SSID as well and add this to the Authorization profile but can still be generic enough to be useable by all vendors.
  I think it is my Authentication rules that I need to modify for Vendor as my Corporate based policies use Dot1x and I need a policy that does not use dot1x. Right?

• Operation Level Approval Policy Creation Issue in OIM11gR2

  Hi Experts
  I have successfully registered approval process without any issues but while creating Operation Level Policy I have referred the approval process which I have registered before. While clicking Finish button I’m getting below exception in sysadmin console itself.
  Auto registration of approval process “default/aaa!1.0 <approval process name>” failed while creating policy “XXX” Register the approval process manually.
  Have anyone faced this issue before ? Is anything I have missed in registering approval process?
  Please help me to fix this issue...
  Edited by: Vaitheeswaran Balakumar on Jan 2, 2013 1:22 AM
  Edited by: Vaitheeswaran Balakumar on Jan 2, 2013 4:23 AM

  Hi,
  But the question is: If it works for Level-1 approver, Why is it not working for Level-2 approver?
  Regards,
  Jubish

• Policy Center: Policy creation...filters missing

  I notice that when I create a policy in Policy Center, only a subset of the usual filters are available, e.g. Alert etc are missing.
  Any particular reason for this?
  Also, just for my understanding on the role of Policy Center -
  In my scenario I have 2 instances of OEG (Test and Prod).
  My idea was to export all from Test and import to Policy Center.
  Then have Policy Center as my single point of truth and update the Prod environment from there.
  However, I hit the above issue (certain filters not supported) when I attempted to do this.
  So I assume this is not the preferred modus operandi.
  I can of course, in Policy Center, select all, or a subset of, the artifacts from Test and deploy straight to Prod.

  Would it be possible to get a screen shot the missing alert filter? this should be found in the "Monitoring" section of the palette.
  Policy Center is a central point where you can manage, control and version policies and push them out to all Gateways in your domain.

• ESM Policy Creation UI Bug?

  I have a large list of Filtered APs I need to enter into the Wi-Fi Management section of a policy, but once I get to the bottom of the screen no scrollbar appears and I can no longer see the next row in the table in order to enter the next Filtered AP's SSID and MAC address.
  I have tried various keyboard gymnastics moves and window resizing tricks, but nothing seems to allow me to see the next row.
  I am running ESM 3.5.0.160 in standalone mode on Windows XP Pro SP3.
  Does anyone have a workaround for this issue or is there perhaps a bug fix somewhere I may have missed? Does this issue disappear in other OSs?
  Thank you,
  Jason Ayotte

  jayotte,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Password Policy creation error: Incorrect Domain Name

  Hi folks,
  I'm getting rather strange error ("Incorrect Domain Name") while trying to create a new Password Policy in OAM to enable user account lockout. I provide a name for the Password Policy, and use simple Policy Domain I've created as "Password Policy Domain", plus some basic values. I realize it's something simple, yet I cannot figure why the domain name would be incorrect.
  Any help is greatly appreciated.
  Thank you
  Roman

  In the password policy domain field you have to enter the base dn for the user to which this policy will be applied. something like ou=users,dc=company,dc=com
  Check the directory profile of the user store.

• CSM signature policy creation

  As I said in my previous post today, we are evaluating CSM for 50 IDS/IPS 4000/IDSM sensors. Questions about policy management:
  Can I take the default policy, modify signatures and deploy it down to the sensor?
  Or, do I have to clone every signature in the default policy, and create a new policy and then deploy it?
  When you add a device into the CSM that already has a local policy, it appears the signatures are read-only. How would I change the settings, example, add a logging parameter and then re-deploy?

  Refer to Managing IPS Devices section of the following odcument for more details
  http://www.cisco.com/en/US/products/ps6498/products_user_guide_chapter09186a00807e8596.html

• A few questions about Group Policy development

  This post was originally in the Windows Development forum. Please note the following:
  This question is not about the application and management of GPOs. It's about how to develop a group policy.
  I know about Group Policy Preferences, please do not provide this as an answer.
  I create a custom group policy for an application.
  Recently the application developers allowed settings to be controlled via policy registry keys, in order to make these settings easier to set for Systems Administrators I have created a GPO. Unfortunately, there aren't that many resources
  I can find that help with Group Policy creation, so:
  Is there an easier way to create and edit admx/adml files rather than just a xml editor? Like a GUI front end?
  The vast majority of this applications settings are just a simple Boolean, is there any way to just use one base presentation element for multiple policies? or do I really have to create a presentation element for every single policy? :/
  As mentioned above, most settings are a simple Boolean, but with an additional enforce parameter. If you "enforce" the setting the user is blocked from changing the value. I was going to peg the setting Boolean to whether the policy was
  Enabled or Disabled and have an enforce check box in the policy itself (this would make it easier to just glance at the configured settings and get an idea). Unfortunately, when you disable a policy you cannot interact
  with its contents, so the enforce check box cannot be toggled. So I have two options:
  Have two policies for each setting eg: Disabled: Load printer settings with the document and
  Enabled: ENFORCE Load printer settings with the document
  OR what I have elected to do is just have the one policy with 2 check-boxes in it, one for the setting and one for the enforcement
  The former is both more complex to write for me and more time consuming to configure for the Administrator, the later is easier for me to write but still annoying to use. So my final question is: can I make it so, even though a policy is disabled, you can
  still toggle settings within the policy?

  Hi Thomas.
  > (this will set the default in the application) and then toggling whether
  > that setting is Enforced (unable for the user to modify it - disabling
  > it in the user interface).
  As said - that's not how policies are intended to work - they are always
  enforced. You are talking about preferences that have an optional
  "enforce" switch :) But doesn't matter for the remainder of this post.
  >  1. The presentation table contains hundreds of presentation tags that
  >     essentially are the same thing. From your response there is no way
  >     to make the GPO any easy to write? I can't just create one generic
  >     presentation that multiple policies can use? I have to create a
  >     presentation for every. single. policy.?
  I'd sugggest to use ADM instead of ADMX. Much easier to write and
  maintain, and copy/paste works very well in ADM :)
  https://msdn.microsoft.com/library/bb742499.aspx
  >  2. Because of how the settings are set, as mentioned in my earlier
  >     post, I have chosen to have each policy contain two check boxes.
  >     Each setting could be set to the following:
  >      1. True
  >      2. False
  >      3. True and Enforced
  >      4. False and Enforced
  What elements you need depends on the registry values your application
  is expecting/checking. I'd suggest a radio button (enabled/disabled) and
  a check box "enforced".
  >     there a way for a Disabled policy to also have settings that can be
  >     modified in Group Policy Management? Or can only Enabled policies be
  >     modified?
  You cannot edit what a disabled GPO does, but you can define it
  (VALUEOFF in ADM files if I recall correctly).
  >     well because it would make it easier for them to read the GPO. But I
  >     think you are saying this is not possible.
  Yes, it isn't. It still - at least to me - is a slight misunderstanding
  of "preferences" versus "policies" :)
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Insurance Policy in SAP

  Hi,
  Their is a requirement of my client to map the following process in SAP:
  1) Policy creation, premium payment, validly period of policy ,policy tracking based on broker/insurance provider.
  2) Claim notification, linking of claims with policy
  3) Reports of policy claims, active policies etc.
  We want to map this process in SAP ERP and not to use SAP Insurance vertical. Please suggest the best way to do this .
  Thanks
  Arun

  For policy creation and validity may be make a small z program. And payment will be through FI module
  You can use QM notification for points 2 and 3. You can add your own fields in QM notification. We  had given solution of QM notification to our client which is working well.
  Regards

• Policy Implement for Clients through DSFW

  HI,
  I have to implement some policies at remote site (218 locations) with Domain controller.
  Please suggest regarding the Group Policy creation. Policies are mentioned below:
  Local Policy
  Site Policy
  Domain Policy
  Organizational Unit(OU) policy

  vinishrustagi,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://www.novell.com/support and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Forums Team
  http://forums.novell.com

• File Not Found Exception for select_attributes.jsff in OESOIMTaskflows.jar

  Upon trying to create an authorization policy, I am running into the following error:
  java.io.FileNotFoundException: file:/opt/oracle/Middleware/Oracle_IDM1/server/apps/oim.ear/admin.war/WEB-INF/lib/OESOIMTaskFlows.jar!/taskflows/dialogs/select_attributes.jsff
  I went to the OESOIMTaskFlows.jar file and exploded it. I verified the select_attributes.jsff file does indeed exist. I am not sure why it is failing at this step. Does anyone have any idea how to get this file to register?
  One thing I have done out of the ordinary is re-deploying a new instance on an existing Middleware Home (Oracle_IDM1/SOA1) by dropping/re-creating the tables via RCU, removing the user_projects folder, and running the config in Oracle_IDM1
  Thanks.

  FYI, for anyone seeing this or anything similar, I did the following:
  Checked my log at each step of authorization policy creation. Prior to clicking the edit attributes button, I noticed that there were too many open files in the log.
  - went to /etc/security/limits.conf
  - changed the hard / soft nofile limit to 65535
  This seemed to fix the issue.

• Calendar Sharing between 2 organisation Exchange 2010 SP3 and Exchange online with Federation Trust.

  Hi...
   Our company is running Exchange Server 2010 SP3 Standart would like to have Shared calendar with organisation running with Exchange online.
   We made a Federation trust between organisations and I checked that one certificate was installed and the rule for their domain was created. but when I try to share my calendar I always receive.
  "Calendar sharing is not available with the following contacts because of permission settings on your network."
  Name I took from GAL or input manually and always same. Forgot to mention that we migrated from Exchange 2003 to 2010 SP3 and all old exchange servers I removed. I tried everything that I know and read and nothing helped.
  Hope for your support.
  Thank you.

  1)I deleted everything and made step by step as indicated in your articles.
  2) recreated organisation relationship:
  RunspaceId            : xxxxxxxxxx
  DomainNames           : {xxxxxxx.microsoftonline.com, xxxxxxxxx.onmicrosoft.com, xxxxxxx.com}
  FreeBusyAccessEnabled : True
  FreeBusyAccessLevel   : LimitedDetails
  FreeBusyAccessScope   :
  MailboxMoveEnabled    : False
  DeliveryReportEnabled : False
  MailTipsAccessEnabled : False
  MailTipsAccessLevel   : None
  MailTipsAccessScope   :
  TargetApplicationUri  : outlook.com
  TargetSharingEpr      :
  TargetOwaURL          :
  TargetAutodiscoverEpr : https://pod12312.outlook.com/autodiscover/autodiscover.svc/WSSecurity
  OrganizationContact   :
  Enabled               : True
  ArchiveAccessEnabled  : False
  AdminDisplayName      :
  ExchangeVersion       : 0.10 (14.0.100.0)
  Name                  : xxx
  DistinguishedName     : CN=xxx,CN=Federation,CN=uxx,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=uxxx,DC=com
  Identity              : Lxx
  Guid                  : a8xxx
  ObjectCategory        : upxxs.com/Configuration/Schema/ms-Exch-Fed-Sharing-Relationship
  ObjectClass           : {top, msExchFedSharingRelationship}
  WhenChanged           : 27/01/2015 3:23:47 PM
  WhenCreated           : 26/01/2015 9:41:39 AM
  WhenChangedUTC        : 27/01/2015 8:23:47 PM
  WhenCreatedUTC        : 26/01/2015 2:41:39 PM
  OrganizationId        :
  OriginatingServer     : xxx.upxxxns.com
  IsValid               : True
  3. Configured Sharing Policies:
  [PS] C:\Windows\system32>Get-SharingPolicy
  Name                      Domains                                  Enabled    Default
  Default Sharing Policy    {*:CalendarSharingFreeBusySimple}        True       False
  Lxxx                              {lxxx.com:CalendarSharingFreeBusy...     True       True
  added my mail box to sharing policy but in the end receive same error 
  Calendar sharing is not available with the following contacts because of permission settings on your network.
  In EventViewer everything seems to be fine....
  No errors on policy creation... How can be checked this permission
  settings on your network they are on exchange on in DC ?