OIM 11g R1 - Restrict Role assignment

Similar Messages

• OIM - Multi Level approval - Role assignment at the time of approval

  I have to provision to two target applications. But, the roles in each application are different. So, at the time of approval, the groupmanager (same from both apps- first level authentication) have to assign the roles individually to each application and the request will go to second level authentication . A person can have multiple roles in the application. How to achieve this functionality.
  Thanks in advance.

  You have two create different APproval Workflow for different resources.
  Attach two objects form each parent and child.
  First Approver can edit the object form data to add roles and then he will aprove.
  In you approval workflow two tasks will be there
  Approval1
  Approval2 > conditional
  Open Approval1 task and in the responses tab select Approve and in Task to Generate select Approval2.
  In Assignment tab you can assign it to anyone you want.
  Save.

• OIM 11g R2 Available Roles For Organizations Is Empty After XML Import

  Hi,
  When we exported Organizations in OIM via Deployment Manager and imported them back, available roles on Organizations are gone.
  To be exact; Hierarchical role assignments are gone, which are done using "include-sub-orgs" check while putting organizations to Roles.
  To understand the problem,
  We took a single organization, exported it, changed only organization name in the XML and imported it back. The results are the same.
  We included every possible dependency in the xml to see if this was the issue, apparently it wasn't.
  Furthermore,
  On the Role screens' Available Organization's tab, when we check the "include sub orgs" box, it works fine on manually added organizations. They are shown on Available Roles for the Organizations.
  But this doesn't work on imported organizations.
  Is there a trick to this in R2?
  How can we export-import the organizations and still see the available roles?
  Thanks,
  Erdogdu

  Hi All
  Any updates please . Can any one just update whether creating a custom attribute on User Profile adds the attribute in the list of attributes for membership rules for roles .
  Thanks
  Darshan

• OIM 11g add custom role on user creation

  Hi,
  I when i create a user in OIM11g by default it gets added to "ALL USERS" role.
  I have created a new role and want to add user to this custom role while creating users. How can i do this in OIM11g
  Regards,
  Ab
  Edited by: 824473 on Jan 18, 2011 2:33 AM

  set Auto submit true. you can't set the value for ValueChangedListener property in current release of R2. This is bug and you can raise SR for same. But, this won't cause saving data into USR table. ValueChandedListener property for Modify User page only.
  As you said, data is not being saved in the USR table then verify your steps again:
  create sandbox->users->create user/edit user/view user details page->click customize->leftTopcorner->View->Source->select area->edit->Click Add Content (on left top)->Data Component catalog->scroll down and select User VO->Refresh dialogue box->select the field and click 'Add'->on dropdown select 'ADF Input test w/label/for view user page it should be output test w/label->close that window->Check if it added to create user form->save and close customization
  for user detail page select "Managed User->UserVo1 " as datacomponent
  Re: UDF creation on User form in 11gR2
  for valuechangedlistener the fixes all ready available. you have to do some workaround as other poster has given in above link:
  1.Create a sandbox and activate it. Open the page that contains the UDF, and click Customize.
  2.Select View, Source.
  3.Note the value of the valueChangeListener property of a predefined field. To do so:
  a.Click the predefined field, and then click Edit to open the Component Properties dialog box.
  b.Copy the value of the valueChangeListener property.
  4.Export the sandbox as a ZIP file.
  5.Extract the ZIP file and edit the jsff.xml file for the specific screen.
  6.Add the following attributes to the ADF tag, for example af:inputText, for the UDF:
  ◦valueChangeListener=VALUE_COPIED_IN_STEP3
  ◦autoSubmit="true"
  7.Create the ZIP file for the sandbox.
  8.Import the sandbox.
  9.Publish the sandbox.
  Edited by: Nishith Nayan on Sep 21, 2012 1:04 PM

• Role assignment restrictions

  Hi all,
  I am trying to restrict role assignment using the object S_USER_AGR. As an example i am using the following in the 'Role Name' field: T1050, T1500.
  However, with my test user, they are able to assign the role "T_50043964_5100-TEST" to a user
  But i cannot see how this is possible. Am I missing something here?
  Thanks,

  If I understand your example correctly what you are trying to do cannot be done.
  The restriction with authorization wildcards must come only at the end.  Example:  T_50043964*
  Cheers,
  Ben

• Oim 11g r2: data access restriction using roles instead of organisations

  can i implement data access restriction using roles instead of organisations in oim 11g r2?

  in my use case a particular user can be member of more than one organisation. as far as i know oim does not suoport this use case using organisation, so i decide to use roles to represent my "organizations", but now i loose all the data access restrictions (scope).

• Restricting administrator tab to user created with default role OIM 11g R2

  Hi,
  I have a query, if we create a user in OIM 11g R2 without any admin role and then login to Self Service screen (Identity) with the newly created user, we can see the Administration Tab is visible to the user.
  Is this mean that by default user is having admin role assigned to him to do some of the admin activities.
  Please let me know how to control this behavior and not to show the Administration tab to the user until and unless he is having some admin roles assigned to him.
  Please help.

  You can hide Administration tab for normal users using EL's. By default users will get this tab when they login to identity console even though admin role is not assigned to them. But if you do any operation on any users, request will be raised accordingly.
  Check this link to configure EL's http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/uicust.htm#autoId18

• OIM 11g R1 - Container for Roles

  Hi,
  is it possible to create container for roles?
  For Example:
  Container1: RoleA, RoleB, RoleC
  Container2: RoleV, RoleY, RoleZ
  The reason is, i want to create authorization policies, which allows the user to assign specials roles. The problem is, that a lot of roles will be added during the operation. This means, if a new role will be created, i have to edit the authorization policy
  The best way is, i assign a Role-Container to the authorization policy. If i create a new role, i add the role to the special container.
  Is this possible in OIM 11g R1?
  Edited by: 960944 on Apr 3, 2013 5:18 AM

  Yes, you can do that using authorization policy.
  Try this:
  Create a Role called 'X'
  Create a Authorization Policy of Role Management Entity Type called 'X Role Authz Policy' and under the Permission tab:
  Grant Modify Role Membership, Search for ROle, View Role Detail and View Role Membership
  Under Data Constraints: Add all the roles that a user can self assign except SYS ADMIN role.
  Under Assignemnt: Add Role 'X'
  Save and apply to test it.
  You can have a look at the default Role Management All Users Policy for reference.
  Regards,
  Sunny

• Role management in OIM 11g.

  Hi All,
  I am working on OIM 11g PS1.
  In this I want to give some of the users in OIM ability to manage the roles in OIM and view and modify the role and role membership.
  For this the simplest way is to add the user to role 'Role Administrators'.
  Now when I login with user, then this user is able to modify the role, view hierarchy, view and modify membership rule, Data Object permissions but when clicks on 'Members' tab then it throws the error and does not show the members and same error comes when it tries to assign new users in role.
  The same behavior happens for the role owner as well. When the role owner of a role logs in and try to view the members of its own role the same things happens. I have pasted the error below:
  Please suggest if anyone else has come across this issue and is there any step that I may be missing in my configuration.
  The error that comes on GUI:
  "ADF_FACES-60097: For more information, please serr the server's error log for an entry beginning with: ADF_FACES-60096:Server Exception during PPR, #8"
  Error in Weblogic logs:
  "<Dec 1, 2011 10:34:48 AM EST> <Warning> <oracle.adfinternal.view.faces.lifecycle.LifecycleImpl> <BEA-000000> <ADF_FACES-60098:Faces lifecycle receives unhandled excepti
  ons in phase INVOKE_APPLICATION 5
  javax.el.ELException: java.lang.NullPointerException
  at com.sun.el.parser.AstValue.invoke(Unknown Source)
  at com.sun.el.MethodExpressionImpl.invoke(Unknown Source)
  at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodExpression(UIXComponentBase.java:1300)
  at org.apache.myfaces.trinidad.component.UIXShowDetail.broadcast(UIXShowDetail.java:154)
  at oracle.adf.view.rich.component.rich.layout.RichShowDetailItem.broadcast(RichShowDetailItem.java:192)
  at oracle.adf.view.rich.component.fragment.UIXRegion.broadcast(UIXRegion.java:148)
  at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:102)
  at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92)
  at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361)
  at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96)
  at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:96)
  at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.broadcastEvents(LifecycleImpl.java:902)
  at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:313)
  at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:186)
  at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
  at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
  at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
  at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
  at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.help.web.rich.OHWFilter.doFilter(Unknown Source)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)
  at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
  at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
  at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
  at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
  at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
  at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:121)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:107)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:175)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
  at java.security.AccessController.doPrivileged(Native Method)
  at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
  at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
  at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
  at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
  at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
  at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
  at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
  at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
  at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
  at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
  at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
  at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
  Caused By: java.lang.NullPointerException
  at oracle.iam.consoles.rolemgmt.utils.PagingUtils.addPagedRoleMembersData(PagingUtils.java:199)
  at oracle.iam.consoles.rolemgmt.tf.details.RoleDetailsBean.initializeRoleMembers(RoleDetailsBean.java:652)
  at oracle.iam.consoles.rolemgmt.tf.details.RoleDetailsBean.loadRoleMembersTab(RoleDetailsBean.java:521)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  at java.lang.reflect.Method.invoke(Method.java:597)
  at com.sun.el.parser.AstValue.invoke(Unknown Source)
  at com.sun.el.MethodExpressionImpl.invoke(Unknown Source)
  Thanks,
  Sneha

  Hi,
  I found the resolution for this, so I thought I would share it here with everyone.
  I role owners or any user in role "Role Administrators" were not able to view the members of the role though they had the authorization policies enabled and everything setup.
  To enable the view of role membership please follow the steps below:
  1. Login as XELSYSADM
  2. Goto Administration and search for the org which the users are assigned to
  3. Open the org details
  4. Click "Administrative Roles"
  5. Click "Assign"
  6. Choose either "ALL USERS" or your role which you created, set the permissions as you wish and click "Assign"
  This will really solve the issue.
  Thanks,
  Sneha.

• How to assign approvaal policy for a request template in OIM 11g

  When I request for resource in OIM 11g, It's always going for Default approval of xelsysadm.
  I want this Request level approval must go to "Beneficiary Manager approval". While requesting I am selecting request template (which I created) for Provision resource as Request type.I have already set "Beneficiary Manager approval" as request level approval for this request template.
  I have created one approval policy, How can I assign this approval Policy to request template so that When i submit this request , it should go to my Manager approval.
  Regards,
  J

  Hi Rajiv,
  I do not need approval of Operational level. I want to stop the approval process after request level approval.
  Here you are saying to create a new approval policy and set as AUTO Approval as true. There are some default approval policies which comes with OIM 11g and one of the approval policy is trigeering the Operaional level approval. So I think I do not need to create new approval policy and I can use exsting approval policy and modify as you suggested selecting AUTO APPROVAL and create approval rule as request template=="XYZ".
  I am not sure which default approval policy trigeering the Operational approval now. Can you pls tell me that?
  Can you pls confirm that, there is only way to restrict Opertional Approval by selecting "AUTO APPROVAL" true and put the approval rule as request template=="XYZ"
  Thanks Rajiv for your help all the time.

• Regarding Authorization policy and Roles in OIM 11g

  Hi,
  In OIM 11g Admin interface, is there a way to find out what all authorization polices, a role has been assigned to ?.
  I am asking this because, if you search for a user, you will know what all roles he is a member of, and similarly if you search for a role, you will know who all users are members of that role.
  Similarly, if you search for a Authorization policy, you will know what are roles are assigned to this policy. But if I search for a role, I am not able to find what all authorization policies has been assigned to this role.
  Looking forward to hearing from you,
  Many thanks in advance

  I understand your concern. But, this feature has not been available
  --nayan                                                                                                                                                                                   

• OIM 11g-configure SoD so that it works for direct provisioning of the roles

  Dear All,
  page 23-3 of Developer's Guide (OIM 11g) provides information regarding configuration of the SoD for Direct provisioning of the resources. How to configure SoD so that it works for direct provisioning of the roles?
  Thank you for your time
  Maria

  Rajiv,
  I did not find the documentation regarding this. But I hoped I will.
  In my project we assign roles directlly, not resources.
  I suspect the integration with Role Manager is required in this case. SoD module in OIA should be used then.
  Maria

• How to obtain Role name in OIM 11g using API's

  Hello,
  I have a scenario in which I create Role/Group in OIM 11g & it gets provisioned in AD [=works fine] & other part is when i delete role in OIM 11g then it should
  get deleted from AD.I have written postprocess event handler to achieve this.
  In role creation part i get all parameters using "orchestration.getParameters();" , but when i delete role then "orchestration.getParameters();" is empty,so i am
  not able to get role name.
  Is there a way to get role name while deleting roles using API ?
  Thanks,
  Rahul Shah

  Hi Raghav,
  Following is my code :
  tcRODetails = orgOpInterface.getObjects(organizationKey);
  for(int i = 0;i < tcRODetails.getRowCount();i++){
  tcRODetails.goToRow(i);
  // resourceName=AD Group
  if(resourceName.equalsIgnoreCase(tcRODetails.getStringValue("Objects.Name"))&&
  tcRODetails.getStringValue("Objects.Object Status.Status").equalsIgnoreCase("Provisioned")||
  tcRODetails.getStringValue("Objects.Object Status.Status").equalsIgnoreCase("Enabled")) {
  System.out.println("<<<FOUND>>>");
  processKey = tcRODetails.getLongValue("Process Instance.Key");
  provisionObjectKey = tcRODetails.getLongValue("Objects.Key");
  tcProcessSet = oimFormUtility.getProcessFormData(processKey);
  for(int j=0;j<tcProcessSet.getRowCount();j++){
  tcProcessSet.goToRow(j);
  if(grpName.equalsIgnoreCase(tcProcessSet.getStringValue("UD_ADGRP_NAME"))){
  System.out.println("MATCH FOUND!!!!!");
  orgOpInterface.removeObjectAllowed(organizationKey,provisionObjectKey);
  break;
  & i get following error :
  <Mar 22, 2012 1:54:43 PM IST> <Error> <XELLERATE.APIS> <BEA-000000> <Class/Method: tcOrganizationOperationsBean/removeObjectAllowed encounter some problems: Object with key=7 is not already set as an allowed object for Organization with key=1>
  Thanks
  Rahul Shah

• Getting roles assigned to a user in OIM

  We need to write a query to find what are the roles assigned to a particular user and when it has been assigned , is there any source where the OIM tables and their attributes have been explained? We were referring the UPA_GRP_MEMBERSHIP for getting the roles( referring UGP_KEY)  and the user with (UPA_USR_KEY), is this correct or is there some other table which has the info?

  Thanks for your reply...
  To getting the roles of a user, what is the common attribute between USR and UPA_GRP_MEMBERSHIP table? Is it usr_key from usr table and upa_usr_key from UPA_GRP_MEMBERSHIP? if not, what are the differences between the two attributes and is there any other attribute to refer ?

• OIM 11g support for Temporary roles with expiration date

  Dear All,
  Is there a support provided for temporary roles in OIM 11g?
  If not, what is the recommendation as for implementation?
  Kind regards
  Maria Adair

  I'm also interested if someone has any recommendation as for how to implement such a feature. Anyone has any ideas?