OIM 11g authorization policy issue

Hi ALL,
We have created one authorization policy.
which will give the following permissions for the users.
1.search users
2.view user details
3.Modify a single attribute in user profile
it has been assigned to a role.
Now we assigned this role to a user and he is able to search the users and view the details but he is able able to edit all the attributes besides the specified one. Please let me know where iam going wrong.

In the Modify User, check for which all attributes are selected...if all are selected, then just select only one which you require.
J

Similar Messages

  • OIM 11g - Authorization Policy

    Hi,
    I am facing issue in OIM 11g Authorization policy configuration. I am using OIM 11.1.1.5 Version.
    I have Created a OU --> Sample Helpdesk OU. Under this OU, i have created a user --> Sample Helpdesk user.
    I have created a role --> Sample Helpdesk Role and assigned this role to the user --> Sample Helpdesk user.
    I have created a Auth Policy --> "HelpDesk Create User - HelpDesk OU" which has to allow the user --> Sample Helpdesk user, to create a new users under the organization "Sample Helpdesk OU".
    During creation of User in OIM, i am not able to search the Organization in the lookup field. I am getting Zero records for the search. I used all type of filters to search the OU in the OIM User Form.
    Thanks,
    Sandy.
    Edited by: Sandy on Dec 6, 2011 9:24 PM
    Edited by: Sandy on Dec 6, 2011 9:25 PM

    Hi,
    Make Helpdesk Role created above as administrative role of OU.
    Regards,
    Raghav.

  • OIm 11g: Access policy issue

    Hi All
    We are using OIm 11.1.1.5.0, Weblogic 10.3.5 and Oracle DB EE 11.2.0.2
    We have defined role "CommonUsers" and assigned access policies with "AD and Exchange" resources. Exchange is dependent resource on AD. Then We have excuted PSFT feed file to load users into OIm and will assign the role to Users based on conditions performed by custom adapters, Here "CommonUsers" role is getting assigned to users, but both resources are not assigned to the users. For some of the users "AD" assigned but not Exchnage, and some of the users both resources are not assigned. Few of the users both resources assigned.
    Can you please suggest, why OIM is not assigning the two resources to users, with the role assignment? And why its performing in that way?
    Thanks.

    I have done 4 users reconciled, role was assigned to them(4 users) but for 2 users, oim did not intiate Resource Provisioing. When I manually assign role to any user, some times its not intialting Resoirce Provisioning task. There is no log information for this situation.
    Thanks.

  • OIM 11g - User Management Authorization policy issues

    Hello,
    1) Created an organization -> Human Resource
    2) Created an Role -> HR_Admins
    3) Assigned HR_Admins roles as administrative role of Human Resource organization
    4) Created user1 with organization as Human Resource & Assigned HR_Admins role to this user.
    5) Created authorization policy for user management with following selections
    Permission -> Create User.
    Data Constraints -> Selected "Users that are members of selected Organizations" & selected above Human Resource organization.
    Assignment -> HR_Admins role .
    now when i log into user1 i am not able to see Administration tab where i can select Create user.
    I am working on this issue for couple of days ,but not able to find the solution & have i missed some configurations ?
    Thank-You
    Rahul Shah

    Hi Rahul,
    I have tested your scenarion.. with below clause
    1) Created an organization -> Human Resource
    2) Created an Role -> HR_Admins
    3) Assigned HR_Admins roles as administrative role of Human Resource organization
    4) Created user1 with organization as Human Resource & Assigned HR_Admins role to this user. : default role All Users
    5) Created authorization policy for user management with following selections
    Permission -> Create User. :- *"Select ALL"*
    Data Constraints -> Selected "Users that are members of selected Organizations" & selected above Human Resource organization.
    Assignment -> HR_Admins role .
    In data constraints
    Organization Security Setting     Hierarchy Aware (include all Child Organizations)
    Now I am able to see the create user tab and, I can create user in Human Resource org only.
    If it doesn't work for you. Just assign "REQUEST ADMINISTRATOR" IN AUTH POLICY. Test the result.
    Also what is your OIM version?
    Test it with fresh data like new role name, org and user,
    -kuldeep
    Edited by: Kuldeep on May 22, 2012 4:19 AM

  • OIM 11g R2 installation Issue. OIM Schema creation failed using RCU 11.1.2

    I have been trying to install OIM 11g R2 on a Windows server 2008 R2 64 Bit and have been encountering the following error during the OIM schema creation. The other schemas, such as Metadata, SOA, user messaging services and other associated schema creation was successful. But, the OIM schema creation was taking more than 2 minutes and finally it fails with the below error.
    RCU-6130: Action failed
    RCU-6135: Error while trying to execute java action.
    Components used:
    OS: Windows Server 2008 R2 64 Bit
    DBS: 11gR2 (11.2.0.1)
    RCU: 11.1.2
    The first error occured was ora-12637 packet receive failed followed by Table or View does not exist. I could not fetch much information from the oim and rcu.log.
    I have set the processes, open_cursors and session_cached_cursors as suggested in the preinstallation step of OIM 11g R2 installation.
    Any pointers on this will be highly appreciated.
    Thanks,
    Srini

    Copy the msvcr71.dll file from rcuHome\jdk\jre\bin inside rcu installer and paste it in C:\Windows\SysWOW64.
    Try running the rcu again with the new user i.e. instead of DEV_OIM, run it with DEV_OIM1.
    Or drop the DEV_OIM user first and then use the same user.

  • OIM 11g - Time zone Issue

    Hi,
    We have a OIM 11g instance running at a central location. (PST). Our implementation is for a Global Company having offices at multiple locations ( Say Germany, US , India and Japan ). So, the users should be provisioned / terminated only on the local time zones.
    All the servers are present in "PST".
    Any pointers are appreciated.
    Regards
    Vicky

    Hi Atul,
    Thanks for your response.
    But how does running at three different timezones will help me.
    Say, I have an user in Japan and an user in India. Both users termination date is tomorrow. (Received from PSFT, future dated termination).
    So, when the job is run according to Japan's time zone, the user will be terminated and will be deprovisioned as expected.
    Here comes the problem, because of the same date, the user in India who is supposed to be terminated on his last day ( day ending say 6 PM) will lose his access well before that.
    Correct me if I am missing something.
    Regards
    Vicky
    Edited by: vicky on Mar 8, 2011 2:47 AM

  • ISE Authorization Policy Issues

    Hello Team,
    I´m getting troubles during my implementation: The User PC never gets IP Address from Access VLAN after AuthZ Policy succeded.
    I have two vlans in my implementation:
    Vlan ID 802 for Authentication (Subnet 10.2.39.0)
    Vlan ID 50 for Access Users (Subnet Y.Y.Y.Y)
    When I start my User PC, I get IP for VLAN 802 (10.2.39.3) and After Posture process, ISE inform the switch to put the User PC port in VLAN 50.
    Here I have my Switch Port Configuration:
    interface GigabitEthernet0/38
     switchport access vlan 802
     switchport mode access
     switchport nonegotiate
     switchport voice vlan 120
     ip access-group ACL-DEFAULT in
     authentication event fail action next-method
     authentication event server dead action reinitialize vlan 50
     authentication event server dead action authorize voice
     authentication host-mode multi-auth
     authentication order dot1x mab
     authentication priority dot1x mab
     authentication port-control auto
     authentication violation restrict
     mab
     dot1x pae authenticator
     dot1x timeout tx-period 10
     spanning-tree portfast
    end
    And Here, I have outputs AuthZ Policy in Action:
    Oct  7 09:22:01.574 ANG: %DOT1X-5-SUCCESS: Authentication successful for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
    Oct  7 09:22:01.582 ANG: %AUTHMGR-5-VLANASSIGN: VLAN 50 assigned to Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
    Oct  7 09:22:01.591 ANG: %EPM-6-POLICY_REQ: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT APPLY
    Oct  7 09:22:01.591 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-REQUEST
    Oct  7 09:22:01.633 ANG: %EPM-6-AAA: POLICY xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| EVENT DOWNLOAD-SUCCESS
    Oct  7 09:22:01.633 ANG: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-WAIT
    SWISNGAC8FL02#
    Oct  7 09:22:02.069 ANG: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0022.1910.4130) on Interface Gi0/38 AuditSessionID 0A022047000000F6126E9B17
    SWISNGAC8FL02#
    Oct  7 09:22:02.731 ANG: %EPM-6-IPEVENT: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| EVENT IP-ASSIGNMENT
    Oct  7 09:22:02.731 ANG: %EPM-6-POLICY_APP_SUCCESS: IP 10.2.39.3| MAC 0022.1910.4130| AuditSessionID 0A022047000000F6126E9B17| AUTHTYPE DOT1X| POLICY_TYPE Named ACL| POLICY_NAME xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6| RESULT SUCCESS
    After that, I have:
    SWISNGAC8FL02#sh auth sess int g0/38 
                Interface:  GigabitEthernet0/38
              MAC Address:  0022.1910.4130
               IP Address:  10.2.39.3
                User-Name:  SNL\enzo.belo
                   Status:  Authz Success
                   Domain:  VOICE
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  multi-auth
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  50
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-537cb1d6
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A022047000000F6126E9B17
          Acct Session ID:  0x000001A7
                   Handle:  0x710000F7
    Runnable methods list:
           Method   State
           dot1x    Authc Success
           mab      Not run
    Apparently, everything is OK, but NOT. The User PC never gets IP Address from Access VLAN 50.
    If I do  SWISNGAC8FL02#sh mac address-table | inc 0022.1910.4130
      50    0022.1910.4130    STATIC      Gi0/38 
     802    0022.1910.4130    STATIC      Gi0/38 
    And
    SWISNGAC8FL02#sh epm session summary 
    EPM Session Information
    Total sessions seen so far : 17
    Total active sessions      : 1
    Interface                       IP Address        MAC Address     VLAN   Audit Session Id:
    GigabitEthernet0/38     10.2.39.3         0022.1910.4130    802     0A022047000000F6126E9B17
    My Switch is a Cisco IOS Software, C3560E Software (C3560E-IPBASEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)
    I am using ISE Version 1.2.1.198 Patch Info 2
    Could you help me in this Case ?
    Best Regards,
    Daniel Stefani

    It seems like the PC is operating in the VOICE-domain according to the cmd auth sess int you showed. Do you think that has something to do with your problem? I've experienced some PC's having problem with that.
    If you could, try getting the PC to operate in the DATA-domain by not sending the voice-attribute from ISE after the authorization.

  • OIM 11g inter Environment issues

    Hi All,
    We have a strange issues here.We have implemented our entire solution in our dev environemnt.Everythng is working fine.But when we exported it to other envs the logs for the process task adapters are not getting generated.please suggest me.
    Thanks.

    Oracle has opened up a bug on this issue:
    Bug 15941773 - DATE FIELD ON OIM USER FORM PROVIDED AS STRING INSTEAD OF DATE IN ORCHESTRATION
    In the meantime, we wrote a custom pre-insert event handler that does the following:
    1) checks for this scenario (Date field provided as String)
    2) converts the String value to a Date
    3) Replaces the String with the Date in the orchestration parameters.

  • OIM 11g - Exception while starting server 'oim_server1'

    Hi all,
    We are trying to install the OIM 11g and having issues starting the OIM server (SOA and OAM server is alos not starting up) in the weblogic enterprise console.
    The error message we are getting is "Exception while starting server 'oim_server1'" ?
    Thanks

    I tried starting from command prompt and with nodemanager, but none of the options seems to work.
    I get the following error log:
    ####<16.nov.2010 kl 00.52 CET> <Info> <Security> <WIN-FQRM761U74N> <oim_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1289865176201> <BEA-090511> <The following exception has occurred:
    com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OIMAuthenticationProvider is not specified.
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
         at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
         at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
         at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
         at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
         at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
         at weblogic.security.SecurityService.start(SecurityService.java:141)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OIMAuthenticationProvider is not specified.
         at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:47)
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
         at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
         at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
         at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
         at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
         at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
         at weblogic.security.SecurityService.start(SecurityService.java:141)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    >
    ####<16.nov.2010 kl 00.52 CET> <Error> <Security> <WIN-FQRM761U74N> <oim_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1289865176206> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OIMAuthenticationProvider is not specified..
    weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OIMAuthenticationProvider is not specified.
         at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:342)
         at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
         at weblogic.security.SecurityService.start(SecurityService.java:141)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    Caused By: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OIMAuthenticationProvider is not specified.
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
         at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
         at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
         at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
         at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
         at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
         at weblogic.security.SecurityService.start(SecurityService.java:141)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    Caused By: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OIMAuthenticationProvider is not specified.
         at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:47)
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
         at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
         at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
         at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
         at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
         at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
         at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
         at weblogic.security.SecurityService.start(SecurityService.java:141)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    >
    ####<16.nov.2010 kl 00.52 CET> <Notice> <Security> <WIN-FQRM761U74N> <oim_server1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1289865176207> <BEA-090082> <Security initializing using security realm myrealm.>
    ####<16.nov.2010 kl 00.52 CET> <Critical> <WebLogicServer> <WIN-FQRM761U74N> <oim_server1> <main> <<WLS Kernel>> <> <> <1289865176210> <BEA-000362> <Server failed. Reason:
    There are 1 nested errors:
    weblogic.security.service.SecurityServiceRuntimeException: [Security:090399]Security Services Unavailable
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:916)
         at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1050)
         at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
         at weblogic.security.SecurityService.start(SecurityService.java:141)
         at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

  • Regarding Authorization policy and Roles in OIM 11g

    Hi,
    In OIM 11g Admin interface, is there a way to find out what all authorization polices, a role has been assigned to ?.
    I am asking this because, if you search for a user, you will know what all roles he is a member of, and similarly if you search for a role, you will know who all users are members of that role.
    Similarly, if you search for a Authorization policy, you will know what are roles are assigned to this policy. But if I search for a role, I am not able to find what all authorization policies has been assigned to this role.
    Looking forward to hearing from you,
    Many thanks in advance

    I understand your concern. But, this feature has not been available
    --nayan                                                                                                                                                                                   

  • How to create Authorization policy using OIM 11g API

    Hi,
    Could you please let me know how to create Authorization policy using OIM 11g API.
    Thanks

    Constructing A Policy Programmatically
    http://docs.oracle.com/cd/E27559_01/dev.1112/e27154/cons_policy_prog.htm#CHDHACBF
    api ref for PolicyStore
    http://docs.oracle.com/cd/E21764_01/apirefs.1111/e22649/oracle/security/jps/service/policystore/PolicyStore.html#createApplicationPolicy_java_lang_String_
    something like below code to start with
    try {
    JpsContextFactory ctxFact;
    ctxFact = JpsContextFactory.getContextFactory();
    JpsContext ctx;
    ctx = ctxFact.getContext();
    PolicyStore ps = ctx.getServiceInstance(PolicyStore.class);
    if (ps == null) {
    // if no policy store instance configured in jps-config.xml
    System.out.println("no policy store instance configured");
    return;
    ApplicationPolicy ap = ps.createApplicationPolicy("Trading", "Trading
    Application","Trading Application.");
    } catch (JpsException e) {
    }

  • Error while creating authorisation policy using OIM 11g API

    Hi,
    We have a requirement to create ‘Authorization Policies’ (assign Data Constraints, Permissions & Assignments) using OIM 11g API’s.  I am using ‘oracle.iam.authzpolicydefn.api.PolicyDefinitionService & oracle.iam.authzpolicydefn.vo.AuthzPolicy’.  But when I am trying to attach Entity/Feature (User Management) to authorisation policy, it is throwing exception.  Below is the code snippet which I am trying to implement.
    Line1: PolicyDefinitionService policyService = oimClient.getService(PolicyDefinitionService.class);
    Line2: AuthzPolicy authPolicy = new AuthzPolicy();
    Line3: authPolicy.setName("Test Authz Policy");
    Line4: authPolicy.setDisplayName("Test Authz Policy Dsp Name");
    Line5: authPolicy.setDescription("Test Authz Policy Description");
    Line6: Feature feature = oimClient.getService(Feature.class);
    Line7: Action featureAction = feature.getAction(FeatureManagerConstants.Features.USER_MGMT.getId());
    Line8: List<Action> actions = new ArrayList<Action>();
    Line9: actions.add(featureAction);
    Line10: authPolicy.setActions(actions);
    Line11: policyService.createPolicy(authPolicy);
    Exception: oracle.iam.platform.utils.NoSuchServiceException: java.lang.ClassNotFoundException: oracle.iam.authzpolicydefn.api.FeatureDelegate
    The above exception is throwing at Line6.
    Let me know if anyone implemented.
    - Kalyan Mutya

    If you are using JDeveloper , can you able to get class after giving "." .If yes no than it is the problem with the jar file you are using .Check whether you can able to import oracle.iam.authzpolicydefn.api.Feature.
    Thanks ,
    Animesh anand

  • OIM 11g issues with design console, creating resource

    Hi All,
    I have installed OIM 11g, OAM 11g.
    I am facing issues while starting design console or creating a resouce.
    <Sep 2, 2010 9:30:53 PM GMT+05:30> <Error> <XELLERATE.SCHEDULER.TASK> <BEA-0000
    0> <Error while calling reissue on AUD_JMS messages
    com.thortech.xl.dataaccess.tcClientDataAccessException:
    at com.thortech.xl.dataaccess.tcDataBaseClient.getDatabaseProductName(t
    DataBaseClient.java:944)
    at com.thortech.xl.schedule.tasks.ReIssueAuditMessage.processAllByIdent
    fier(ReIssueAuditMessage.java:87)
    at com.thortech.xl.schedule.tasks.ReIssueAuditMessage.execute(ReIssueAu
    itMessage.java:78)
    at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.execute(SchedulerB
    seTask.java:384)
    at oracle.iam.scheduler.vo.TaskSupport.executeJob(TaskSupport.java:144)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl
    java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce
    sorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at oracle.iam.scheduler.impl.quartz.QuartzJob.execute(QuartzJob.java:16
    at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.
    ava:529)
    >
    <Sep 2, 2010 9:30:53 PM GMT+05:30> <Error> <XELLERATE.DATABASE> <BEA-000000> <Cl
    ass/Method: tcDataBaseClient/bindToInstance encounter some problems: java.lang.A
    ssertionError: Can only export activatable objects
    oracle.iam.platform.utils.ServiceInitializationException: java.lang.AssertionErr
    or: Can only export activatable objects
    at oracle.iam.platform.Platform.getService(Platform.java:264)
    at oracle.iam.platform.OIMInternalClient.getService(OIMInternalClient.ja
    va:152)
    at com.thortech.xl.dataaccess.tcDataBaseClient.bindToInstance(tcDataBase
    Client.java:151)
    at com.thortech.xl.dataaccess.tcDataBaseClient.<init>(tcDataBaseClient.j
    ava:75)
    at com.thortech.xl.server.tcDataBaseClient.<init>(tcDataBaseClient.java:
    33)
    at com.thortech.xl.client.dataobj.tcDataBaseClient.<init>(tcDataBaseClie
    nt.java:67)
    Please help

    You need to copy the files from the linux box to a windows box and change the startup paramaters to meet that of a Windows machine.
    I have the following files once moved to my windows machine:
    basecp.bat:
    >
    set CLASSPATH=.;.\lib\oimclient.jar;.\lib\iam-platform-auth-client.jar;.\lib\iam-platform-pluginframework.jar;.\lib\iam-platform-utils.jar;.\lib\iam-platform-context.jar;.\lib\XellerateClient.jar;.\lib\xlAPI.jar;.\lib\xlLogger.jar;.\lib\xlVO.jar;.\lib\xlUtils.jar;.\lib\xlCrypto.jar;.\lib\xlAuthentication.jar;.\lib\xlDataObjectBeans.jar;.\ext\log4j-1.2.8.jar;.\ext\jhall.jar;
    >
    classpath.bat:
    >
    call basecp.bat
    set CLASSPATH=%CLASSPATH%;.\ext\spring.jar;.\ext\security-api.jar;.\ext\commons-logging.jar;.\ext\logging-utils.jar;.\ext\jakarta-oro-2.0.8.jar;.\ext\bsh.jar;.\ext\mail.jar;.\ext\jboss-j2ee.jar;.\ext\jboss-jaas.jar;.\ext\jbosssx.jar;.\ext\jts.jar;.\ext\jbossall-client.jar;.\ext\concurrent.jar;.\ext\getopt.jar;.\ext\gnu-regexp.jar;.\ext\jacorb.jar;.\ext\jboss-client.jar;.\ext\jboss-common-client.jar;.\ext\jbosscx-client.jar;.\ext\jbossha-client.jar;.\ext\jboss-iiop-client.jar;.\ext\jbossjmx-ant.jar;.\ext\jboss-jsr77-client.jar;.\ext\jbossmq-client.jar;.\ext\jboss-net-client.jar;.\ext\jbosssx-client.jar;.\ext\jboss-system-client.jar;.\ext\jboss-transaction-client.jar;.\ext\jcert.jar;.\ext\jmx-connector-client-factory.jar;.\ext\jmx-ejb-connector-client.jar;.\ext\xdoclet-module-jboss-net.jar;.\ext\jsse.jar;.\ext\jnet.jar;.\ext\jmx-rmi-connector-client.jar;.\ext\jmx-invoker-adapter-client.jar;.\ext\jnp-client.jar;.\ext\wlfullclient.jar;.\ext\webserviceclient+ssl.jar;.\ext\sas.jar;.\ext\oc4jclient.jar;.\ext\ejb.jar;.\ext\oscache.jar;.\ext\commons-logging.jar;.\ext\javagroups-all.jar
    >
    xlclient.cmd:
    >
    @echo off
    setlocal
    call classpath
    REM SET DEBUG_OPTS=-classic -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5001 -DXL.RedirectSysOutErrToFile=TRUE -DXL.SysOutErrLogFile=.\logs\Client.System.Out.Err.log
    REM Make sure to remove java.naming.provider.url and read it from the configuration
    REM once the JNDI Profiles are implemented.
    REM make sure you are using j2sdk1.4.2_05
    "C:\jdk1.6.0_22\bin\java" %DEBUG_OPTS% ^
         -DXL.ExtendedErrorOptions=TRUE -DXL.HomeDir=C:\oracle\oim1_11g\designconsole ^
         -Djava.security.policy=config\xl.policy ^
         -Dlog4j.configuration=config\log.properties ^
         -Dweblogic.security.SSL.trustedCAKeyStore=%TRUSTSTORE_LOCATION% ^
         -Djava.security.manager -Djava.security.auth.login.config=config\authwl.conf ^
         com.thortech.xl.client.base.tcAppWindow -server server
    endlocal
    >
    See if this works.
    -Kevin

  • Custom OWSM Authorization Policy Not Visible in OSB 11g

    I am trying to configure custom OWSM authorization policies to grant web service access in OSB to userids associated with custom WebLogic groups. Both OSB and SOA are version 11.1.1.5 with an Oracle Enterprise 11g database backend. To help rule out some possible operational errors, here are things that ARE working with the combination of SOA and OSB servcies:
    * the underlying SOA service functions in the /em console test page
    * the OSB proxy service works from the /sbconsole test page with OWSM oracle/wss_username_token_policy enabled
    * the oracle/log_policy can be added to the OSB business service and generates log entries
    * the outer proxy service can be successfully invoked from a remote client with no security policies,
    with HTTP transport security and authorization policies and with OWSM authentication policies
    attached (given the correct request payloads)
    These findings would appear to rule out connection errors from the OSB engine to the jdbc/mds/owsm DataSource or proper startup of the "OWSM Policy Support in OSB Initializer Application" service within WebLogic. (By the way, that deploys with a typo in its registered name -- "Aplication" with a single p.)
    Here are the steps that were performed:
    1) created group myfirmIdentityData in WebLogic console (/console)
    2) created userid myappuser in WebLogic console
    3) added myappuser to the myfirmIdentityData group in WebLogic console
    4) cloned the oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData
    using the Fusion console (/em on the SOA domain)
    5) edied myfirm/authorize_IdentityData to add the "role" myfirmIdentityGroup to the
    list of permitted roles (***)
    *** note -- "roles" referenced within the OWSM policy configuration dialogs actually correspond to "groups" at the WebLogic Server level. A bit confusing at first but harmless.
    6) accessed the SOA service in the Fusion console (/em), clicked on the Policies tab and verified
    the myfirm/authorize_IdentityData policy is available for application to the SOA service (BUT DID
    NOT ATTACH IT HERE -- I'm trying to attach it at the "outer" layer in OSB, not SOA Suite)
    7) accessed the Service Bus console (/sbconsole), started a change session, selected the
    proxy service, then clicked on the Policies tab, then clicked the Add button in the
    Service Level Policies section
    At that point, the only services listed are the factory supplied oracle/********* policies. There are two pages listed and flipping between the two doesn't show any other policies other than the oracle/***** policies.
    I even tried stopping and starting the domain thinking maybe OSB caches all of the OWSM policies at startup rather than querying the mds_owsm schema dynamically to no avail. No myfirm/****** policies are displayed after a domain restart.
    Any insight?
    Thanks.

    Once again, I wound up opening a Support Request with the TAC for direction on this issue. The policies were not appearing for assignment to OSB proxy / business services because they were being created against the wrong type of object within OWSM.
    In a nutshell, policies in OWSM can be created to be applied against:
    * Components --- only usable against SOA services
    * Service Endpoints --- against URLs used as access points into services
    * Service Clients -- against consumers of services as identified by credentials
    * All -- all of the above
    However, policies built against Components can only be applied to SOA composite services. When I cloned the existing oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData policy then limited it to the myfirmIdentityGroup group, that policy would only be assignable to SOA composities since it applied to only Components.
    To allow the group based authorization policy to be enforced in the outer OSB tier, the oracle/binding_authorization_permitall_policy was cloned to myfirm/authorize_IdentityGroup. That policy was defined to apply to endpoints and once saved, appeared in the GUI of the Service Bus console to assign to the proxy service for the service being implemented. A second component policy named myfirm/componentauthorize_IdentityGroup was cloned from oracle/component_authorize_permitall_policy to perform the group authorization at the SOA layer.
    A different issue is being encountered configuring the OSB business service to forward the OWSM headers from the outer proxy service to the SOA service so the authorization succeeds at the inner layer but that's a different problem. With the SOA layer authorization policy disabled, client tests to the proxy service function correctly with a userid in the myfirmIdentityGroup group and generate an authorization failure when another client credential is used that does not belong to myfirmIdentityGroup.

  • OIM 11g R1 Request Template issue

    Hi All,
    We are facing an issue with implementing the Request Management of OIM 11g R1 11.1.1.5 for Create User.
    OIM already provides OOTB CreateUserDataSet.xml and a ‘Create User’ Request Template.
    We have changed(customized) the OOTB CreateUserDataSet.xml at the same location in MDS and have created one our own Request Template – ‘Create Custom’.
    We have also added Attribute Restrictions in the ‘Create Custom’  request template for mandatory fields like – ‘Organization’, ‘User Type’ & ’Design Console Access’.
    The issue we are facing is –“After some time(not immediately) the Request Template gets corrupt and does not open thus rendering the Request Process for Create User inoperable.”
    Below is the the log error of the OIM Web console error after we are trying to open ‘Create Custom’ by clicking on the Request Template.
    <ADF_FACES-60096:Server Exception during PPR, #8
    oracle.iam.platform.utils.MinLimitException: size < minimum limit
                    at oracle.iam.platform.canonic.model.Values.setMinLimit(Values.java:187)
                    at oracle.iam.requesttemplate.agentry.operations.OpenActor.renderAttributeRestrictionsTab(OpenActor.java:829)
                    at oracle.iam.requesttemplate.agentry.operations.OpenActor.prepare(OpenActor.java:198)
                    at oracle.iam.consoles.faces.utils.CanonicUtils.prepareOperation(CanonicUtils.java:169)
                    at oracle.iam.consoles.faces.utils.CanonicUtils.prepareOperation(CanonicUtils.java:179)
                    at oracle.iam.consoles.faces.render.canonic.UICursor$TableActionListener.processAction(UICursor.java:855)
                    at javax.faces.event.ActionEvent.processListener(ActionEvent.java:88)
    Any help in solving above issue, workarounds or knowing that is it an OIM bug will be greatly helpful.
    Note* I have noticed(through Export) that in a corrupted Request Template the Organization Name that I have restricted to a Constant, has the- Organization Name's Text as value in exported xml. If I change it back to ACT KEY and import it back in OIM the Template is again restored until next corruption
    Thanks already
    Regards,
    Nitin Tewari

    Excellent! Thank you very much!
    Edited by: 958794 on May 22, 2013 10:37 AM

Maybe you are looking for

  • GRN Report for 103 and 105 movement

    Hi all IS there any report available in SAP Like i have done GRN with movement type 103 and 105 So i want to know for a specific plant against specific movement type let us say my po is of 100 quantity i have done GRN for 20 qty mov type 103 and 20 q

  • Over capacity iPhone 4 - can't sync and get voice memos to computer

    Hi, My friend is overcapacity on your iPhone, and can't even sync at all to get voice memos off her iPhone to her computer. It says can't sync Photos. She is syncing songs with her iTunes library, I guess, it would be good idea to remove a bunch of s

  • HAL 9.2 and Essbase 9.3.1

    Can anyone tell me how to configure HAL 9.2 Essbase Adapter to work with Essbase 9.3.1. Thanks!

  • Dump in report painter

    Hi , I am getting dump while calling report painter transaction (z *), the dump is from submit program statement.The automatic generated program does not exist in the system, can any body help me why it is not generating? Regards, siva kumar

  • Wireless controller system software .aes (6500 WISM)

    hi, i am looking around how  to copy system software .aes to tftp server . and ram installed in WLC of 6500 wism ? try looking any command, i want to copy WLC software to tftp server .  Because  My WLC software version can not be found in the Cisco o