OIM Authorization policy for specific resource

Similar Messages

• Authorization Policy for only search users

  Hi all,
  I need create a custom authorization policy for only search all users in create request. The users can't see any profile information of others users.
  Anyone can help me ?
  Regards,
  Joel

  ViewUser Admin Role can search and view users by default. Since the OES policies for this admin role has action as ViewSearch Entity. In your case, you can write EL's to hide Admin tab which will hide Admin ltab links based on current logged-in user profile.
  http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/uicust.htm#BABHBFGH

• Authorization Policy for Modify user in OIM 11gR2

  Hi Experts,
  Requirement: I want the users in particular org not to modify certain user attributes and users from other org should be allowed to modify user.
  I have created user1 whose organization is org1 and role is role1. I have also created user user2 under same org and same role. I assigned the Admin Role "User Administrator" role to user2.
  So If user2 from same org1 tries to modify certain attributes then OIM should throw error message. I have completed till this.
  But when the user from diff org say org2 with Admin Role "User Administrator" tries to modify user, OIM is not allowing to modify user which should not be the case.
  I want the Auth Policy to trigger only for Org1. I have specified the below condition for my custom policy in OES admin console but it is not triggering.
  The condition is
  IF ( OrclOIMTargetEntity = 'true' AND OrclOIMUserOrganizations = 'true' AND STRING_AT_LEAST_ONE_MEMBER_OF(OrclOIMUserOrganizations,['25','1000000']) = true )
  What am I missing?
  Any help is much appreciated.

  Hi
  Can anyone let me know the steps to restrict modify user operation for the users belonging to specific organization in OIM 11gR2. The condition which I specified under Authorization Policy in APM console is not triggering at all.
  Thanks!

• How to apply Software Restriction policy for specific user in local group policy object ?

  I am working on implementing user based software restriction policy programmatically for local group policy object.
  If i create a policy through Domain Controller,i do have option for software restriction policy in user configuration but in local group policy editor i don't have option for that.
  When i look for the changes made by policy applied from Domain Controller in registry, they modifies registry values for specific users on path HKEY_USERS\(SID of User)\Softwares\Policies\Microsoft\Windows\Safer\Codeidentifiers
  They also have registry.pol stored in SYSvol folder in Domain Controller. When i make the same changes in registry to block any other application, application is getting blocked.
  I achieved what i wanted but is it right to modify registry values ?  
  PS:- I am using Igrouppolicyobject API

  I achieved what I wanted but is it right to modify registry values ?
  You also can modify a registry programmatically based policy. Check this:
  http://blogs.msdn.com/b/dsadsi/archive/2009/07/23/working-with-group-policy-objects-programmatically-simple-c-example-illustrating-how-to-modify-a-registry-based-policy.aspx
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• ISE 1.2 - Authorization Policy for Digital Certificates

  Hi Everyone.
  I have Cisco Ise 1.2 when I created authorization Policy rule for PEAP(MSCHAPv2) and the ISE can match on the rule e permit based on AuthProfile.
  BUT, authentications using digital certificates (EAP_TLS) I can´t do some AuthorizationPolicy for match.
  I´m try some:
  if
  any
  AND
  authEAPprot: EAP-TLS
  AND
  Certificate:inssue : iqual : CA-root
  THEN
  ACCESS_FULL
  In Operations>Authetications I can see the authentication and when I open the details, I can see the method is EAP-TLS BUT my rule is not correct cuz authorization policy that use is Default.
  Someone can do some Tip about How i can make this rule for authentications that use EAP-TLS (digital certificates)???
  tks

  Hi,
  You will have to upload all certificates (intermediate and root) that are used to sign the client cert into the ISE CA database. You will also have to make sure that checkbox for trust for client authentication is checked.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Authorization FBCJ for Specific Business Transaction

  Dear Guru,
  How to create user authorization via PFCG for FBCJ with specific Business Transaction?
  I have tried, but I just find authorization FBCJ for Activity (Change, Delete, Post, Read) and Account Type (GL, Vendor, Customer, Material).
  Thank you.

  Hello,
  Normally, for casj journal the suggestion is to introduce segregation of duty. For e.g. the user who create and saves (for review, no document is posted at this point) the cash journal should not be allowed to post (SAP document will be posted) cash journal. Then another user should be assigned cash journal deletion auhtorisation shold related document required reversal. Basically, you should have authorisation for update, post and deletion in seprate user role.
  Kind regards,
  John Chin

• Retention policy for specific backupset

  Hi,
  Actually I am envolved in a Proof Of Concept for Exadata. My customer wants to set a specific rentention for one backupset. These are the steps followed and the problem:
  1. Perform a "backup as backupset" for database to disk.
  2. Perform a "backup backupset" to tape for the backup of step 1.
  3. Change the retention policy only for the backup of step 2 and set it to be kept until sysdate+x days.
  Does anyone know how can be this done?
  Best regards.

  You will need to create two different backup one to device type DISK with default retention and another backup to device type SBT_TAPE with specific retention.
  The SAME backup (backupset) cannot have two different retention (even if it's a copy). The copy of backupset belongs to a Backup which already has it own retention.
  see this example:
  RMAN> backup current controlfile ;
  Starting backup at 17-OCT-12
  allocated channel: ORA_DISK_1
  channel ORA_DISK_1: SID=10 device type=DISK
  channel ORA_DISK_1: starting compressed full datafile backup set
  channel ORA_DISK_1: specifying datafile(s) in backup set
  including current control file in backup set
  channel ORA_DISK_1: starting piece 1 at 17-OCT-12
  channel ORA_DISK_1: finished piece 1 at 17-OCT-12
  piece handle=/u01/app/oracle/flash_recovery_area/ORCL/backupset/2012_10_17/o1_mf_ncnnf_TAG20121017T145951_87xwjrjn_.bkp tag=TAG20121017T145951 comment=NONE
  channel ORA_DISK_1: backup set complete, elapsed time: 00:00:04
  Finished backup at 17-OCT-12
  RMAN> backup backupset from tag TAG20121017T145951 ;
  Starting backup at 17-OCT-12
  allocated channel: ORA_SBT_TAPE_1
  channel ORA_SBT_TAPE_1: SID=10 device type=SBT_TAPE
  channel ORA_SBT_TAPE_1: Data Protection for Oracle: version 5.5.1.0
  channel ORA_SBT_TAPE_1: input backup set: count=14735, stamp=796921191, piece=1
  channel ORA_SBT_TAPE_1: starting piece 1 at 17-OCT-12
  channel ORA_SBT_TAPE_1: backup piece /u01/app/oracle/flash_recovery_area/ORCL/backupset/2012_10_17/o1_mf_ncnnf_TAG20121017T145951_87xwjrjn_.bkp
  piece handle=BKP_CONTROL_ORCL_14735_1_20121017_2 comment=API Version 2.0,MMS Version 5.5.1.0
  channel ORA_SBT_TAPE_1: finished piece 1 at 17-OCT-12
  channel ORA_SBT_TAPE_1: backup piece complete, elapsed time: 00:00:04
  Finished backup at 17-OCT-12
  RMAN> list backup;
  BS Key  Type LV Size
  14667   Full    1.11M
    Control File Included: Ckp SCN: 142367578    Ckp time: 17-OCT-12
    Backup Set Copy #1 of backup set 14667
    Device Type Elapsed Time Completion Time Compressed Tag
    DISK        00:00:02     17-OCT-12       YES        TAG20121017T145951
      List of Backup Pieces for backup set 14667 Copy #1
      BP Key  Pc# Status      Piece Name
      14667   1   AVAILABLE   /u01/app/oracle/flash_recovery_area/ORCL/backupset/2012_10_17/o1_mf_ncnnf_TAG20121017T145951_87xwjrjn_.bkp
    Backup Set Copy #2 of backup set 14667
    Device Type Elapsed Time Completion Time Compressed Tag
    SBT_TAPE    00:00:02     17-OCT-12       YES        TAG20121017T145951
      List of Backup Pieces for backup set 14667 Copy #2
      BP Key  Pc# Status      Media                   Piece Name
      14668   1   AVAILABLE   44531                   BKP_CONTROL_ORCL_14735_1_20121017_2
  RMAN> change backuppiece 14668 keep forever logs;
  using channel ORA_DISK_1
  using channel ORA_SBT_TAPE_1
  RMAN-00571: ===========================================================
  RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
  RMAN-00571: ===========================================================
  RMAN-03002: failure of KEEP command at 10/17/2012 15:02:24
  RMAN-06528: CHANGE ... KEEP not supported for BACKUPPIECEIn example above the BACKUPSET 14667 have two BACKUPPIECE (14667,14668) if you change retention of BACKUPSET 14667 you will change retention of both BACKUPPIECE.
  I don't recommend do this ,but is a poor option:
  RMAN> delete backuppiece 14667;
  using channel ORA_DISK_1
  using channel ORA_SBT_TAPE_1
  List of Backup Pieces
  BP Key  BS Key  Pc# Cp# Status      Device Type Piece Name
  14667   14667   1   1   AVAILABLE   DISK        /u01/app/oracle/flash_recovery_area/ORCL/backupset/2012_10_17/o1_mf_ncnnf_TAG20121017T145951_87xwjrjn_.bkp
  Do you really want to delete the above objects (enter YES or NO)? yes
  deleted backup piece
  backup piece handle=/u01/app/oracle/flash_recovery_area/ORCL/backupset/2012_10_17/o1_mf_ncnnf_TAG20121017T145951_87xwjrjn_.bkp RECID=14667 STAMP=796921192
  Deleted 1 objects
  RMAN> list backup;
  BS Key  Type LV Size       Device Type Elapsed Time Completion Time
  14667   Full    1.11M      SBT_TAPE    00:00:02     17-OCT-12
          BP Key: 14668   Status: AVAILABLE  Compressed: YES  Tag: TAG20121017T145951
          Handle: BKP_CONTROL_ORCL_14735_1_20121017_2   Media: 44531
    Control File Included: Ckp SCN: 142367578    Ckp time: 17-OCT-12
  RMAN> change backupset 14667   keep forever;
  using channel ORA_DISK_1
  using channel ORA_SBT_TAPE_1
  keep attributes for the backup are changed
  backup will never be obsolete
  backup set key=14667   RECID=14667 STAMP=796921193
  RMAN > list backup;
  BS Key  Type LV Size       Device Type Elapsed Time Completion Time
  14667    Full    1.11M      SBT_TAPE    00:00:02     17-OCT-12
          BP Key: 14667   Status: AVAILABLE  Compressed: YES  Tag: TAG20121017T145951
          Handle: BKP_CONTROL_ORCL_14735_1_20121017_2   Media: 44531
          Keep: BACKUP_LOGS        Until: FOREVER
    Control File Included: Ckp SCN: 142367578    Ckp time: 17-OCT-12Edited by: Levi Pereira on Oct 17, 2012 4:02 PM

• RFC-enabled authorization checks for specific tables?

  I am developing an Excel application which calls several BAPIs and RFC-enabled FMs, most notably RFC_READ_TABLE.  While I will provide security at the FM level by checking S_RFC for these FMs, I need to find a way of restricting access for users to specific tables based on certain table fields?  Is there any SAP-delivered FM/BAPI that will let me do this?
  My understanding is that although RFC_READ_TABLE does check S_TABU_DIS, it only checks tables based on their belonging to a particular table class—It is not checking authorization for an individual table. What this means is that users will need to have access to the table class or classes to which the table or tables belong, for any tables that are being read by RFC_READ_TABLE.
  Please correct me if I am wrong in my understanding, or if there is a standard solution for a situation like this.

  Hi john,
  1. What this means is that users will need to have access to the table class or classes to which the table or tables belong, for any tables that are being read by RFC_READ_TABLE.
  U are perfectly right.
  2. The users will have to be given rights
     NOT TABLE WISE,
     But authorisation group wise.
  3. Note : S_TABU_DIS
     The main purpose of this authorisation object
     is for standard tools like sm30 only.
     Its also used in the FM RFC_READ_TABLE .
  regards,
  amit m.

• Authorization Object for specific Output types maintained via MN11 & MN12

  Hello,
  I was looking to see if we could limit the access of users so that they can change only specific output types (see T-code NACE) when using transaction code MN12. specifically only LPH1 (standard SA output type). I'm not seeing anything within the system, and I can't seem to find anything via SNC which describes this, so I am wondering if this there is nothing like this/
  Is anyone aware of something for this or a potential solution if an authorization object doesnt exist?

  duplicate.. please close.

• How can I set OIM password policy for OID Users.

  Hi,
  For me the target resourec is OID. When I create users in OIM, they get provisioned to OID. Their password also gets stored in OID.
  Now, I have a password policy in OIM. In that policy, the password exipration day is set to 28 days. After 28 days, the user's password will expire in OIM. Is there any way that password will also expire in OID too, so that user will not be able to login in OID?
  Thanks in advance.

  You need to do the following.
  1. Find the attribute in OID that determines the disable date.
  2. Add a field to your provisioning process definition form.
  3. Using a pre-populate adapter, use an input of your oim user account expiration date, and convert that to the format OID uses.
  4. Update your lookup for provisioning attributes to include this new field to map the field name to the OID attribute.
  5. Create an "Updated" task for this field so that when it gets changed, the new value is pushed to OID.
  6. Create a user form trigger value for the field that maps to the oim user account expiration field. For this trigger, add a task to your oid provisioning process that does the same tasks as your pre-populate adapter to determine the new date value and pass it to the field on the process form.
  Now when the OIM expiration date changes, this value will be passed to OID, and also when the account is first created.
  Does this work for you?
  -Kevin

• OIM 11g - User Management Authorization policy issues

  Hello,
  1) Created an organization -> Human Resource
  2) Created an Role -> HR_Admins
  3) Assigned HR_Admins roles as administrative role of Human Resource organization
  4) Created user1 with organization as Human Resource & Assigned HR_Admins role to this user.
  5) Created authorization policy for user management with following selections
  Permission -> Create User.
  Data Constraints -> Selected "Users that are members of selected Organizations" & selected above Human Resource organization.
  Assignment -> HR_Admins role .
  now when i log into user1 i am not able to see Administration tab where i can select Create user.
  I am working on this issue for couple of days ,but not able to find the solution & have i missed some configurations ?
  Thank-You
  Rahul Shah

  Hi Rahul,
  I have tested your scenarion.. with below clause
  1) Created an organization -> Human Resource
  2) Created an Role -> HR_Admins
  3) Assigned HR_Admins roles as administrative role of Human Resource organization
  4) Created user1 with organization as Human Resource & Assigned HR_Admins role to this user. : default role All Users
  5) Created authorization policy for user management with following selections
  Permission -> Create User. :- *"Select ALL"*
  Data Constraints -> Selected "Users that are members of selected Organizations" & selected above Human Resource organization.
  Assignment -> HR_Admins role .
  In data constraints
  Organization Security Setting     Hierarchy Aware (include all Child Organizations)
  Now I am able to see the create user tab and, I can create user in Human Resource org only.
  If it doesn't work for you. Just assign "REQUEST ADMINISTRATOR" IN AUTH POLICY. Test the result.
  Also what is your OIM version?
  Test it with fresh data like new role name, org and user,
  -kuldeep
  Edited by: Kuldeep on May 22, 2012 4:19 AM

• Define read-only authorization for specific field(s) on a form for 11.5.9

  Dear all,
  Can you pls let me know how is it possible to define read-only authorization access for specific field(s) per responsibility / user on a form in 11.5.9?
  For example I want to protect the item master file by assigning for example to users with responsibility buyer authorization to modify the buyer information but to have read-only only authorization on other sensitive fields such as make/buy flag, expense accounts, etc
  Through UI Modeller I have only managed to make specific fields on specific forms invisible, or whole tabs invisible, to specific responsibilities but this does not cover my needs as I want them to be able to view the data of the fields but to not be able to update them

  Arun,
  Almost but not quite.. The example you've given has the person VO at the top level which includes all the id's (City, State etc). My use case is slightly different.
  query 1
       select org_id, OrgName from x;
  query 2
       select emp_id, emp_name from y where org_id = x.org_id
  query 3
       multi-table join (approx 9 tables) to retrieve depts associated to employee
       where org_id = x.org_id
       and emp_id = y.emp_id
  Rather than using LOV's would it be better to create VO's and pass in the bind parameters at run time?

• Authorization checks for bank account number in vendor master

  I am trying to find a way to set up authorization checks for specific fields in the vendor master: LFBK-BANKL, LFBK-BANKN, LFBK-EBPP_ACCNAME and LFBK-EBPP_ACCNAME. I am tring to set ip up so that if you have access to transactions FK03 or XK03, you can view vendor master data except for the above fields.
  Does anyone know of a way to accomplish this? Your help will be greatly appreciated.
  Thanks
  -Peru

  HI Peru,
  To supress a field in FK03 u will have to check
  Financial Accounting (New)>Accounts Receivable and Accounts Payable>Vendor Accounts>Master Data>Preparations for Creating Vendor Master Data-->Define Screen Layout per Activity (Vendors)
  in that Display Vendor (Accounting) for FK03 and Display vendor (centrally) for Xk03
  But there bank account no is not there.
  Moreover there r no authorization objects for all the fields that u gave.
  So try creating screen variant/ transaction variant in SHD0.
  Regards,
  Kiran

• Order for resources in OAM authorization policy

  Hi All
  Does the order for the resources in OAM authorization policy matters or can I put the resources in any order ?
  Thanks

  OAM performs resource Authentication and Authorization based on the URLs. It doesn't matter on what order you try to put them.
  ~Yagnesh

• How to assign approvaal policy for a request template in OIM 11g

  When I request for resource in OIM 11g, It's always going for Default approval of xelsysadm.
  I want this Request level approval must go to "Beneficiary Manager approval". While requesting I am selecting request template (which I created) for Provision resource as Request type.I have already set "Beneficiary Manager approval" as request level approval for this request template.
  I have created one approval policy, How can I assign this approval Policy to request template so that When i submit this request , it should go to my Manager approval.
  Regards,
  J

  Hi Rajiv,
  I do not need approval of Operational level. I want to stop the approval process after request level approval.
  Here you are saying to create a new approval policy and set as AUTO Approval as true. There are some default approval policies which comes with OIM 11g and one of the approval policy is trigeering the Operaional level approval. So I think I do not need to create new approval policy and I can use exsting approval policy and modify as you suggested selecting AUTO APPROVAL and create approval rule as request template=="XYZ".
  I am not sure which default approval policy trigeering the Operational approval now. Can you pls tell me that?
  Can you pls confirm that, there is only way to restrict Opertional Approval by selecting "AUTO APPROVAL" true and put the approval rule as request template=="XYZ"
  Thanks Rajiv for your help all the time.