OIM 9.1.0.2 - Access Policies issue

Similar Messages

• Issue in OIM 11gR2Ps2 while provisioning using access policies

  Hi,
  we  are provisioning resources using access policies, we  are facing any issue while provisioning resource using two access policies. we are populating the main process form data using two access policies, according to  the access policy priority we are seeing the first access policy form data value in the user process form, but the second access policy value is not showing in the user process form, for example we are populating processform  fieldvalue1 using access policy1 and processform fieldvalue2 using access policy2.
  Thank you,

  Hi,
  we are facing issue in the following scenario
  we are provisioning a resource based on the user position through access policies, for example  a user  position "contractor" is satisfies two rules based on the rules he will get two roles, these two roles trigger two access policies, and two access policies giving same resource for example "AD", in AD main  process form there two lookups(lookup A,lookup B), we are giving looukp A value in acess policy1 and lookup B value in access ploicy2, when ever user gets AD resource through these roles, after provisioning when we see the user process form only lookup A value is there and lookup B is empty.But i want to get both lookup A,lookup B values, what i observed was based on the  priority access policy values are comming to user resource form, the next access policy form values are not reflecting the user process form.
  Thanks,

• ASA Dynamic Access Policies Issues

  Hi
  I have created a simple DAP to match a specific tunnel group (AAA attribute) and also to match endpoint attributes matching AnyConnect client version 3.1.xx and OS as Win7. When i test the DAPs on ASDM, i see that the custom one i created is selected. However when i actually connect from a client matching the specified AAA and endpoint attributes, the selected DAP is the default one. My aim is to be able to match custom DAPs for different connection profiles (plan to configure more later) so i can then set the action on the default DAP to terminate but i seem to be stuck on this.
  I have looked at my config over and again and i guess if the solution could bite me, it would have but i can't seem to find what i need to do to fix this.
  Appreciate any and every help here
  Seyi
  ========
  Test DAP
  ========
  DAP_TRACE: DAP_open: 778B5E18
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="POLICY-RSA"
  DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "POLICY-RSA"
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="POLICY-RSA"
  DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "POLICY-RSA"
  DAP_TRACE: dap_add_to_lua_tree:endpoint["anyconnect"]["clientversion"]="3.1.03103"
  DAP_TRACE: name = endpoint["anyconnect"]["clientversion"], value = "3.1.03103"
  DAP_TRACE: dap_add_to_lua_tree:endpoint["os"]["version"]="Windows 7"
  DAP_TRACE: name = endpoint["os"]["version"], value = "Windows 7"
  DAP_TRACE: Selected DAPs: ,POLICY-RSA
  DAP_TRACE: dap_process_selected_daps: selected 1 records
  DAP_TRACE: dap_aggregate_attr: rec_count = 1
  DAP_TRACE: dap_comma_str_fcn: [,] 1 128
  DAP_TRACE: DAP_close: 778B5E18
  ========================
  Actual Client Connection
  ========================
  DAP_TRACE: DAP_open: 79E0EA38
  DAP_TRACE: Username: user1, aaa.cisco.grouppolicy = POLICY-RSA
  DAP_TRACE: Username: user1, aaa.cisco.username = user1
  DAP_TRACE: Username: user1, aaa.cisco.username1 = user1
  DAP_TRACE: Username: user1, aaa.cisco.username2 =
  DAP_TRACE: Username: user1, aaa.cisco.tunnelgroup = POLICY-RSA
  DAP_TRACE: Username: user1, DAP_add_SCEP: scep required = [FALSE]
  DAP_TRACE: Username: user1, DAP_add_AC:
  endpoint.anyconnect.clientversion="3.1.03103";
  endpoint.anyconnect.platform="win";
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="POLICY-RSA"
  DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "POLICY-RSA"
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="user1"
  DAP_TRACE: name = aaa["cisco"]["username"], value = "user1"
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username1"]="user1"
  DAP_TRACE: name = aaa["cisco"]["username1"], value = "user1"
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username2"]=""
  DAP_TRACE: name = aaa["cisco"]["username2"], value = ""
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="POLICY-RSA"
  DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "POLICY-RSA"
  DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["sceprequired"]="false"
  DAP_TRACE: name = aaa["cisco"]["sceprequired"], value = "false"
  DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
  DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
  DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.03103"
  DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.03103"
  DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="win"
  DAP_TRACE: name = endpoint.anyconnect.platform, value = "win"
  DAP_TRACE: Username: user1, Selected DAPs:
  DAP_TRACE: dap_process_selected_daps: selected 0 records
  DAP_TRACE: Username: user1, dap_aggregate_attr: rec_count = 1
  DAP_TRACE: Username: user1, Selected DAPs: DfltAccessPolicy
  DAP_TRACE: Username: user1, DAP_close: 79E0EA38

  Hi Seyi,
  The problem lies here if you check the ouput of the debug dap trace of the client Pc which is as follow
  DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.03103"
  DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.03103"
  DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="win"
  DAP_TRACE: name = endpoint.anyconnect.platform, value = "win"
  DAP_TRACE: Username: user1, Selected DAPs:
  DAP_TRACE: dap_process_selected_daps: selected 0 records
  DAP_TRACE: Username: user1, dap_aggregate_attr: rec_count = 1
  DAP_TRACE: Username: user1, Selected DAPs: DfltAccessPolicy
  I don't see it looking for OS version Check.
  Ideally it should and this entry should have been there in the debug dap trace
  endpoint["os"]["version"], value = "Windows 7
  And in the DAP policy that you have created you have mentioned 2 end point attributes to be checked which are as follow
  endpoint.anyconnect.clientversion, value = "3.1.03103
  endpoint["os"]["version"], value = "Windows 7
  Since it is not matching both the enpoint attributes it is falling on the
  DfltAccessPolicy
  Please let me know the host scan image that you have got.
  Try with the hostscan_3.1.03103-k9.pkg.
  And then check.
  HTH
  Regards
  Raj Kumar

• OIM - Priorities for Access Policies

  Hi
  In my OIM deployment I have 7 access policies that I use to provision different resources. Each of these has a separate priority (naturally).
  While provisioning a new user these polcies are applied in decreasing order of priority. (i.e policy with priority 1 is applied first and policy with priority 7 is applied last) - atleast as far as one can tell from the order of the email notifications.
  How can I configure OIM in such manner that while de-provisioning a user these policies are applied in the reverse order (i.e policy with priority 7 should be applied first and so on till the last policy that is applied is the one with priority 1)?
  Any help will be appreciated.
  Thanks in advance

  Use the APIs to add the group name to the group name child form of the AD process form.
  Or write a custom connector that does the group add directly to AD.
  Both approaches works but approach one is more elegant.
  Best regards
  /Martin

• OIA 11.1.1.3 - Unable to import Access Policies, Resources from OIM 11g

  Hi,
  I have successfully integrated OIA on tomcat with OIM on weblogic. Also all the Roles and Users of OIM have been imported into OIA.
  Can anyone of you suggest me what needs to configured on OIM to have the Access Policies, Resources and entitlements to be imported into OIA.
  PS : I have noted some changes to be carried out with OIM Form designer in the Design Console as per the Preferred method. Unfortunately, I am unable to go ahead in configuring the following as the Properties described do not show up to me.
  The user guide says -
  For each Resource, the following properties need to be added to some identified feed for accounts, policies, and entitlements imports:
  AccountName - Identifies the unique account in the target system
  ITResource - Identifies the unique IT Resource field for the target system
  Entitlement - Identifies the account attribute designated for privileges
  Please help with this issue.
  Thank you,
  Bhaskar

  Thanks for the reply EvgeniyA, but this is a new environment which has not been released to the users yet. So this cannot be because of SERVERTHREADS and AGTSVRCONNECTIONS. Also the older version worked fine without all those settings defined in essbase.cfg. Anyways even if we consider that this was because of those parameters, I have defined those in the essbase.cfg and still not luck. Still get the same errors. Any other thoughts anyone?
  Thanks,
  Ted.

• How to Map OIA Provisioning policies to OIM Access Policies

  Hi,
  Access policies in OIM does not allow entitlements definition in it such as defining the AD Groups that needs to be attached to the account which would be provisioned on the target resource when the access policy gets triggered. These entitlements definition in OIM is taken care on the Process Form level, whereas in case of OIA the Provisioning polices allow entitlements definition according the resource type in the policy level. It would be of great help if you could help us in understanding how the import and export of access policy data between OIA and OIM would be feasible with these differences in place
  Secondly the access policies defined in OIM can contain resources belonging to different resource types unlike the OIA where we can create access policies only pertaining to the selected resource type, Kindly let us know how the Import and Export process would workout in this scenarios as well
  Appreciate your guidance and support
  Thanks
  Avinash

  Hi,
       Any helpful pointer on above mentioned scenario ?
  Thanks,
  RPB

• OIm 11g: Access policy issue

  Hi All
  We are using OIm 11.1.1.5.0, Weblogic 10.3.5 and Oracle DB EE 11.2.0.2
  We have defined role "CommonUsers" and assigned access policies with "AD and Exchange" resources. Exchange is dependent resource on AD. Then We have excuted PSFT feed file to load users into OIm and will assign the role to Users based on conditions performed by custom adapters, Here "CommonUsers" role is getting assigned to users, but both resources are not assigned to the users. For some of the users "AD" assigned but not Exchnage, and some of the users both resources are not assigned. Few of the users both resources assigned.
  Can you please suggest, why OIM is not assigning the two resources to users, with the role assignment? And why its performing in that way?
  Thanks.

  I have done 4 users reconciled, role was assigned to them(4 users) but for 2 users, oim did not intiate Resource Provisioing. When I manually assign role to any user, some times its not intialting Resoirce Provisioning task. There is no log information for this situation.
  Thanks.

• Self Service Requests for OIM Access Policies

  In the absence of a Role Management product, is there a good way to enable OIM End User Self Service to process requests and approvals for OIM Access Policies or OIM Groups?
  Any suggestions are appreciated!
  KC

  Ultimately the group membership will trigger an access policy. The access policy assignment is the goal, the group assignment is the typical method to assign the access policy to the user.
  When creating a dummy resource, I assume that resource would have a lookup on the form to select the group name. Is this what you are suggesting?
  KC

• Provisioning existing users through Access Policies in OIM

  Hi
  I need to evaluate access policies for existing users in OIM.
  My understanding on "Set User Provisioned Date" is...this scheduler will sets the provisioned date for user in user profile which inturn call entity adapter evaluatePolicies and should trigger Access Policy. Correct me if i am wrong.
  But for all existing users Provisioned Date is already set through trusted recon. Will this scheduler(Set User Provisioned Date) replace with new date?
  Sounds like silly question. But to confirm before testing this in production :)
  Thanks

  Yep
  Running this schedule task will not sufficient. You'll have to select RETROFIT check box while creating Access Policy.

• Feature Request : provide a way to create access policies or identities with matching condition based on the HTTP header's "Referer" field

  Hello,
  I have a use-case I would like to share with you. When a customer configures its WSA with highly restrictive internet access like in the example below, it may trigger some issues :
  1- allow internet access only for URLs defined in whitelist.
  2- block ALL other requests.
  Let's take the following example :
  1- the customer only allow requests to www.siteA.com. siteA.com is the only URL included in its whitelist.
  2- www.siteA.com contains many embedded objects (such as facebook like tags, youtube videos, links to partners sites, ...)
  In this configuration, the end user will be allowed to reach siteA but the page will not be fully displayed. All the embedded objects not directly located on siteA will be missing.
  With WSA, the easiest way I can imagine to solve the issue is to list all the embedded objects present on siteA, get back their URL and also add these URLs to the whitelist. But this solution if of course far to be really convenient since it involves to know exactly how each HTTP page you want to consult is built.
  With other proxies, such as Bluecoat proxies or McAfee Web Gateway proxies for example, I used to solve this kind of issue by using the HTTP referer field (the URL you come from). For example with Bluecoat :
  <Proxy>
      ALLOW request.header.Referer.url.domain=//www.siteA.com/
  => All requested objects from siteA.com will be automatically allowed by the proxy, even if they are not part of my whitelist.
  - Do you have a better suggestion than the one I'm currently using with WSA (adding each sites in whitelist) ?
  - Would it be possible to add the field HTTP referer as a matching condition for Identities and access policies in your next release ?
  Thanks in advance
  Best regards

  As far as I'm aware this functionality is still not available... would be an awesome feature to have, but could also be abused at the same time by a user writing their own "middleware" proxy and setting the referrer header to that allowed site..  could be done in like ~15 lines of perl / python.
  Either way... would still be a cool feature to have.

• ACS 5.2 NDG Locations not showing up in Access Policies

  When I add locations under Network Device Groups and then try and use them in my Access Policies they don't show up. It just says "No data to display". If I try and recreate them I get an error "Object you are trying to Create already exists.' but it is blank. I can run an export and they show up in the CSV file but they don't show up anywhere on the GUI. I have deleted the file and recreated with the same result.
  I have been searching all over for anyone with a similar situation but have come up empty. Any thougts?
  Regards,
  Andy

  I have recollections about two issues related to this:
  - If there are mutliple attributes with the same name as the NDG. Eg if create a user attribute called "Locations" it can cause problems. Can be resolved by renaming the attribute
  - Could be issues if word "system" appears in NDG node name
  Not 100% sure for these (disclaimer) but wanted to mention in case it gives some pointers

• E4200 Firmware 1.0.03 Parental Controls/ Intenet Access Policies not kicking in.

  I have configured my e4200 to block traffic at certian times uses both the Parental Controls and the Intenet Access Polices.  Neither one seems to work though.  The traffic just keeps flowing.
  I have the following summary in my IAP:
  1    9toMidStoT                 Deny  Sun, Mon, Tue, Wed, Thu   21:30 - 23:55
  2    midto6AMEveryday   Deny   Every Day                              00:00 - 06:00
  3    AllowDays                  Allow Every Day                                06:00 - 21:30
  4    Late                             Allow  Fri, Sat                                    21:30 - 23:55
  Each of the four rules is enabled.
  I have the same MAC addresses specified in each rule.  Initally I had only the first two rules.  Those didn't work, so I added rule 3 and 4 (they do the same thing as rules 1 and 2 but from the opposite direction).  There are no compliaints, but they don't stop any traffic. 
  I started with the Parental Controls, they didn't work either.  The page in there that lets you pick which machines you want to block seemed next to worthless.  I have about four rows listed as "Network Device."  REALLY LAME!  As the MAC addresses are accesible and these weren't working I went to the IAP. 
  Does anyone else have this working?  Is this feature broken in 1.0.03?  I had it working in 1.0.01.
  Thanks!

  What happens when you set "block internet access" to always? I have also had weird experiences with this feature.
  For example, as I am typing this message, I have instructed the router to block all internet access on this computer (using parental controls), yet I am still able to visit this forum; although, other websites are blocked. I'll also try your rules and see what effect they have on my computer.
  I also agree with you about the annoying "network device" issue that happens when the router isn't able to identify the devices' hostnames. There are also devices that appear in that list, which haven't seen in my DHCP table for awhile.
  I don't work for Cisco. I'm just here to help.

• Provision a RO several times with one user using Access Policies

  Hello,
  we need to provision several Unix machines and for this purpose, we use one only resource object (SSH User). Additionallyl, we created an access policy for every machine:
  - Access Policy Unix Server 1
  - Access Policy Unix Server 2
  - Access Policy Unix Server N
  We created the following group in OIM: SSH Group.
  We set the policies in such a way that whenever a user is added to the SSH Group, the SSH User RO is provisioned with the user for every machine. We created several access policies, because the parameters of the form are different for every machine.
  The problem is that when a user is added to the SSH Group, the SSH User resource object is provisioned only once. It is provisioned by the access policy with the highest priority. We would like that the SSH User RO was provisioned by every access policy. That is, the user should have the SSH User RO provisioned N times, after adding it to the SSH Group.
  Is there any way to achieve this without creating a resource object for every Unix Machine? We need to provision more than 300 Unix machines and this would require a lot of time...
  Thank you for your help

  There are other options. You could create a child table to hold the IT Resource information, assuming all parent data is the same for every system. Then on the insert/delete to child table entries, you can provision and de-provision from that target. On disable/enable you would need to search through the child table and perform the action against all instances. The same for the other update tasks.
  This is the limitation of access policies. They manage a single resource object target instance. You could also code a generic resource that has child table entries. When an insert happens, you can use the APIs to provision and instance of the specific target with the provided details. Then you could create access policies to add entries to the child table, and each would provision the appropriate object, and deprovision too.
  Takes some custom code, but it's doable. Just remember though that they are all still the same resource object, so reporting would show them all, as well as attestation, as a single instance, with multiple provisioned to each user.
  Another option is to duplicate the work flow using find and replace in the XML and generate a unique workflow for each instance.
  -Kevin

• RVS4000 Internet Access Policy issues after FW upgrade to 1.3.3.5

  Hi,
  we run a small home/business network using an RVS4000v1. Everything is pretty simple and straight forward. We use 10 different Internet Access Policies (IAP) that's it. We recently upgraded the Firmware to 1.3.3.5.
  Since then all IPaddresses (that is 2 IPaddresses in total) that have 24 hr access to the internet will get cut off the internet just before/around midnight. All IAPs that use a time window (e.g. 8:00 AM to 10:00 PM) are working fine (also on the next day).
  The web GUI still works and the status of the routers still says its up and the WAN access is up as well. We have to reboot the router (through the webGUI) to get 24hr access again or save the same IAP again.
  Reading the release note for FW 1.3.3.5 I note that there is a know issue with IAP.
  >>QUOTE
  The second Internet access policy does not work.
  Work Around: Configure only one Internet access policy within a 24-hour
  interval.
  >>UNQUOTE
  I am just not sure how to read it.
  Is it only the second IAP that has the issue (and the IAP numbers 3 to 10 do not)? Or will only ONE IAP work and no others?
  Or is the second policy that uses a 24hr setting meant to be the issue? If this was the case, could a work around be to set the time from 00:05 AM to 11:55 PM (or in my case 00:05 to 23:55)?
  We appreciate your help
  Andy

  Friends,
  The issue is resolved. I just switched off my phone and removed the battery. Inserted the battery after a minute or so and everything seems to be fine. Even the available memory shown is around 25.15 GB.I had even forgotten to take a backup before upgrading to PR 1.3. Still all my Photos,Videos,Documents are as they were before upgrading.
  Thankfully i can heave a sigh of relief now
  Cheers,
  Goks

• Problem with Access Policies (create multiple resources)

  I'm having a problem with Access Policies:
  The first policy must create a resource.
  And the following policies should create childs on the resource.
  The problem here is that when policies will add the childs, the resource is not provisioned yet.
  And then each one will create a resource but i just want one resource with the childs.
  When the resource is already provisioned, the policies update this resource properly.
  How can I fix this?
  tks

  Ricardo,
  I had a similar problem. In a post-process handler I was managing the user membership in specific roles through the removeMemberUser and the addMemberUser of the tcGroupOperationsIntf class.
  The last parameter of this method was a boolean which, when true, would automatically trigger the access policies programmatically in the post-process.
  The problem is that there also is an OOTB event handler for triggering access policies, so I was basically triggering the access policies twice and duplicated resources were appearing.
  Hope this helps.
  Cheers