OIM OES Groups

Hello
has any one done OIM OES integration
can I provision groups from OIM to OES database.... (can I create groups in OES using OIM)
Please provide me with links if there is any!!!
Thanks

This is purely my experience, so YMMV...
In my experience the act of creating a group after the initial setup of the environment & directory is fairly infrequent. Investing energy / time / money in wiring systems together for something like this tends to not be cost effective.
While not ideal if you need to write a policy on a group and the group hasn't been added to OES yet, AND you as the policy author don't have permission to add the group you can still write a policy on group membership by using the sys_subjectgroups attribute. e.g. "somenewgroup" in [sys_subjectgroups]
http://download.oracle.com/docs/cd/E12890_01/ales/docs32/policymanager/advanced_policy.html#wp1085485table1085479

Similar Messages

  • OIM OES Integration to use LDAP groups for policy making

    Hi ,
    I am trying to make policy for the OIM application using OES. i want to use my LDAP groups as principals to control the access in OIM. How it can be achieved
    Thanks
    Edited by: user10660448 on May 21, 2013 1:35 AM

    Note that you can use the internal LDAP that comes with WebLogic, for your users and groups if you want.
    When you have multiple domains, you have a problem with this set-up as the internal LDAP is coupled to
    a specific domain. This means that users you created in one domain are not visible in the other. When using
    a separate LDAP that contains the users. You can configure in each domain an authenticator that points
    to the LDAP. In this way you can share to user accross multiple domains.
    When you are planning to use one domain you can stick with the internal LDAP if you want.
    An example set-up (that uses access manager not identity manager) can be found here: http://middlewaremagic.com/weblogic/?p=7819,
    which might help you in how to proceed.

  • OIM: Is there a way to control resource groups based on OIM Admin group

    Hi,
    I have a resource+target system where we provision users and groups. My requirement is to make the group assignment/de-assignment to be based on OIM's user group of the admin. For example, admins from User Group UG1 can provision certain groups to a given user where as they cannot add/delete other groups. Similarly admins from another admin user group UG2 cannot add/delete resource groups to the same user.
    Have you come across such a requirement and if so could you please share you implemented this?
    Thanks

    The easiest way to do it is often to use a resource object for addition of groups, use request based provisioning and then include a test in the approval that checks if the raising user has the right to raise a request for that group. If not just deny the request.
    Works well and is easy to implement but may be considered a bit user unfriendly as it allows the admins to raise requests that are later auto denied.
    Best regards
    -Martin

  • OIM User Groups - Export and Import

    Hi,
    I am looking for ideas for OIM User's groups to be exported from one environment to another environment.
    I am using the following logic, but it is too slow. Any suggestions are welcome.
    1. Export the User's groups from Source Environment - Add it to the CSV file with the following format:
    User,Group_Name
    2. Import the User's group by reading the CSV file - one user and one group at a time.
    I think this approach is slow. Is it possible to read all the users from Groups - then add users into groups?
    Will it be faster?
    Regards
    Vijay Chinnasamy

    Hi Suren,
    Thanks for the note. I tested this (Evaluating rules using updateUser()).... It looks like it is working in my case.
    Actually, I am already using updateUser() to update the password using below code piece. It looks like it added groups at that time.
    String[] filteredColumnsSet ={"Users.Key","Users.Row Version"};
    Hashtable mhSearchCriteria = new Hashtable();
    mhSearchCriteria.put("Users.User ID", Users_User_ID);
    tcResultSet moResultSet = uo.findUsersFiltered(mhSearchCriteria, filteredColumnsSet);
    HashMap userAttributeSet = new HashMap();
    userAttributeSet.put("Users.Password", Users_Password);
    uo.updateUser(moResultSet, userAttributeSet);
    I will few more checks and let you know.
    Thanks for the note once again.
    Regards
    Vijay Chinnasamy

  • OIM AD Group Object Classes

    Hello
    I need to add an additional object class to AD groups that are created from OIM. I am using OIM 9.1.0.2 and trying to update the lookup.ad.configuration ldapgroupobject class from "group" to "group | PosixGroup" and it looks like this is not taking. Does anyone know a good way to get the additional object class added when creating new groups in AD? Any help you can give would be appreciated.
    Nick

    Anyone able to help on this? I have opened a ticket but not getting anything from them on it.
    Thanks for the help
    Nick

  • OIM-OES integration

    Hi all,
    can anybody gelp me with integrating (OIM 11g and OES 11g) or (OAM 11g and OES 11g ).please provide me the document that describe the integration steps.
    Thank you.

    Can you give more information on your use case. BTW, you should look at attending OES training, this will give you a good high level picture as well as hands on experience.
    Bye,
    Subbu Devulapalli
    *My Blog: [url http://accessmanagement.wordpress.com/]Authorization for the Real World*
    *Follow me on [url https://twitter.com/#!/BloggerSubbu]Twitter*

  • OES grouping resources

    Hi all,
    is there any way to group resources?
    eg. group the jsp, ejb, webservices under one resource.
    so i can define authorization policy for particular resource. no need to choose each ejb, jsp, and webservices.
    With Regards,
    Wai Phyo

    I think your problem might be simply that you don't have your resources modeled in OES at all!
    When you create an application and run it inside WebLogic the OES Security Module automatically figures out the resource names based on where they are. You can think of a resource tree like you would a filesystem - EJBs go into one folder, URLs exposed by the app go in another folder, JMS queues and other resource typed go into their own folders. The OES SM figures out the names of all of these resources for you automatically based upon what you called them when you created them.
    So there is no "mapping" from actual resources to "virtual" resources.
    Incidentally "virtual" means something in OES, so I'd try to avoid that word.
    What you need to do is get your app resources into the OES resource tree so you can see them and write policies on them.
    There are two ways to do that - turn on discovery mode and access your application OR turn up logging, access your application, and pull the resources out of the log files.
    I posted a quick blurb about discover mode at http://fusionsecurity.blogspot.com/2010/01/oes-discovery-mode.html and there's a link to further documentation there too. This seems to be a common stumbling block for new OES users, so I'll probably wind up doing a more detailed blog post about it in the near future once the OpenWorld hubbub dies down. In the meantime keep posting your questions here!

  • OIM- AD Groups Case sensitive comparing with OIM database

    Hi Guys,
    Managing groups via OIM connectors (Windows AD):
    Is there an issue when the group names on the target platform are in lowercase and we have the group names stored in all UPPERCASE?
    An example of a group name in AD “DS_xpt_O”, we’re going to store it in OIM as “DS_XPT_O”.
    I start using the OIM connectors to automate de-provisioning and provisioning, will this give me a match? Can I set some thing the AD connector to ignore case?
    Leöncio,

    The ldap commands are not case sensitive. I would suggest though you use the ldap group recon for AD to populate your looks appropriately so that you don't end up with blank values or mismatches when you open the child table of the user profile. If the values don't match what's in the lookup, you might see stuff differently, but the values in teh database are still correct.
    -Kevin

  • OIM User Group

    hi,
    I have created a user group say "Employee grp" where the user belongs to this group cannot edit the user details (UDF fields), process form, child forms. Now there is a new requirement where the helpdesk user can change/reset only the password for other user accounts. Check the below points,
    1. User can view his user details, process form etc. can edit any field.
    2. User can view other user details, process form etc. but cannot edit any field except the change password..
    In short, this new group has to enable only the "change password" button if the user access other user details and nothing else. Is it achievable???
    thanks in advance
    Edited by: achiles on Oct 12, 2010 10:51 AM
    Edited by: achiles on Oct 12, 2010 10:58 AM

    It is possible. My approach is..
    You can create a UDF say Change Password with datatype boolean and field type checkbox in Users Group form.
    Now when you create HelpDesk Group in Admin console, you can select the check box and specify whether users in this group are allowed to change password or not.
    Create an adapter and check whether the user is member of helpdesk group and then check whether he has permissions to change password only, if he is not allowed to change other info then you can show up an error message to the user.

  • OIM-OID Connector: OID Group Recon Task and organizations

    Hi,
    I'm evaluating OIM and its OID Connector.
    We have groups in our existing OID. We thought that we could use the OID Connector OID Group Recon Task to import those groups into OIM and make them Groups in OIM.
    However, when we run the task, it appears to import our groups from OID as organizations, not as groups. It's not clear to me from the OID Connector documentation what exactly the OID Group Recon task is supposed to do. That's why we assumed it was an OOTB method for reconciling OID groups into OIM groups.
    What are we doing wrong? Why do we end up with our OID Groups becoming OIM Organizations after running the task?
    We are using version 9.4.11 of the OID Connector.
    Also, a side issue: how can we delete unwanted organizations from OIM? There's a delete option but it just seems to mark the organizations as deleted but they are still there.
    Thanks
    Eric
    Edited by: PeachEye on 17/03/2010 11:49

    Hi,
    I am also facing the similar issue. I want to reconcile OID groups into OIM User Groups menu item. Please suggest how to proceed.
    I ran the schedule task- OID Group Recon Task, but it throws error-
    ERROR,12 Mar 2010 09:16:44,265,[XL_INTG.OID],OID:tcTskOIDGrouporRoleReconTask:pe
    rformReconciliation():com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:
    NamingException :Unable to search LDAP. Check the following values and try agai
    n: Base Search detail: cn=abc,ou=Q System1,dc=xoserve-apps,dc=com, filter expres
    sion is (&(objectClass=groupOfUniqueNames)(modifytimestamp>=19000101010001Z)), A
    ttributes : DN, modifytimestamp, Organization Name, orclguid, cn,]
    ERROR,12 Mar 2010 09:16:44,281,[XL_INTG.OID],===================================
    I want to bring OID groups into OIM so that I can manager those OID groups from OIM. Is there any other way to so this? I have to make changes in the OID object class or in the OID field mappings? I have not done any changes in Lookup OID configuration or LookUp Field map parameters.
    Please help.

  • OIM: Manage Oracle Internet Directory Groups

    Hello,
    In the Oracle Identity Manager Web Administrative And User Console, there is a option to manage User Groups. I was wondering if it is possible with OIM to manage groups (objectclass groupOfUniqueNames) that are at Oracle Internet Directory. Or this option is only to manage internal OIM user groups?
    Thanks in advance.

    Sagar, I was successful recociling group lookups.
    Now, I want to import the OID groups to OIM to be managed via web adminsitration console. For this, I'm running (I suppose that I'm right) OID Group Recon Task. However, I'm always getting the following error:
    ------ DEBUG 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - com.thortech.xl.integration.OID.schedule.tasks.tcTskOIDGrouporRoleReconTaskgetITResourcePropValue()getITResourcePropValue() Group Reconciliation Time Stamp = 20091201121351z
    DEBUG 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - com.thortech.xl.integration.OID.schedule.tasks.tcTskOIDGrouporRoleReconTask : getITResourcePropValue():: FINISHED
    DEBUG 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - com.thortech.xl.integration.OID.schedule.tasks.tcTskOIDGrouporRoleReconTask : init():: STARTED
    DEBUG 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - com.thortech.xl.integration.OID.schedule.tasks.tcTskOIDGrouporRoleReconTask : execute():: STARTED
    DEBUG 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - com.thortech.xl.integration.OID.util.tcUtilLDAPOperations : tcUtilLDAPOperations():: STARTED
    DEBUG 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - Parameter Variables passed into com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:tcUtilLDAPOperations(): Login Variables are:: are sServerName = 10.126.70.10, sPortNo = 3060, sPrincipalDN = cn=orcladmin, cn=Users,dc=ccfdev, dc=local, sProviderURL = ldap://10.126.70.10:3060,
    INFO 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - Parameter Variables passed into com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:tcUtilLDAPOperations(): Login Variables are:: are sServerName = 10.126.70.10, sPortNo = 3060, sPrincipalDN = cn=orcladmin, cn=Users,dc=ccfdev, dc=local, sProviderURL = ldap://10.126.70.10:3060,
    DEBUG 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - Parameter Variables passed into com.thortech.xl.integration.OID.util.tcUtilLDAPOperations:tcUtilLDAPOperations(): Login Variables are:: for isSSLEnabled = false
    DEBUG 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - com.thortech.xl.integration.OID.util.tcUtilLDAPOperations : tcUtilLDAPOperations():: FINISHED
    DEBUG 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - OID:tcTskOIDGrouporRoleReconTask: execute()Start of Reconciliation.
    DEBUG 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - com.thortech.xl.integration.OID.schedule.tasks.tcTskOIDGrouporRoleReconTask : performReconciliation():: STARTED
    ERROR 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - ====================================================
    ERROR 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - OID:tcTskOIDGrouporRoleReconTask:performReconciliation():String index out of range: -1
    ERROR 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - ====================================================
    DEBUG 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - com.thortech.xl.integration.OID.util.tcUtilLDAPOperations : disconnectFromLDAP():: STARTED
    ERROR 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - ====================================================
    ERROR 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - com.thortech.xl.integration.OID.util.tcUtilLDAPOperations : disconnectFromLDAP() : : Unable to close LDAP Context. The context was probably not created, since it is null
    ERROR 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - ====================================================
    ERROR 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - ====================================================
    ERROR 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - Exception at the end in OID:tcTskOIDGrouporRoleReconciliation:processChange(): com.thortech.xl.integration.OID.util.tcUtilLDAPOperations: Unable to close LDAP Context. The context was probably not created, since it is null
    ERROR 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - ====================================================
    DEBUG 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - OID:tcTskOIDGrouporRoleReconTask: execute()End of Reconciliation.
    DEBUG 16 Dez 2009 11:28:11,112 QuartzWorkerThread-1 XL_INTG.OID - com.thortech.xl.integration.OID.schedule.tasks.tcTskOIDGrouporRoleReconTask : execute():: FINISHED ------
    Am I missing something? Any tips?
    Thanks in advance.

  • OIM 10g: Requests Track Doesn't show any requests status

    Hello,
    OIM 10g BP15:
    I've created a group "oim-admin-group" ("admuser" is the member of this group).
    I've assigned quite a few "Menu Items" access required for "oim-admin-group" group including:
    * Track Requests menu item
    Also, assigned "permissions" on all objects to this group.
    However, when "admuser" logs in and perform a search on Requests > Track > Search:
    he don't see any results but the message:
    "Your search did not return any results. Try again. "
    I added "oim-admin-group" with "read" permissions to
    * Organization > Xellerate User > Administrative Group >
    * Organization > ABC (User's org) > Administrative Group >
    Also, in (with "read" permissions)
    * Resource > "Request" > Resource Administrators
    * Resource > "Xellerate users" > Resource Administrators
    * Resource > "Xellerate Organizations" > Resource Administrators
    However, "admuser" still not able to track requests and sees same response.
    Any suggestions ?
    Thanks,

    Looks like the "Administrative queues" implementation could have been planned around design time. Then the requests could be assigned and managed by different roles(groups) member with different access levels in OIM.
    However, in my current setup - all workflows follows this rule 1) Route the request for manager approval 2) After successful manager approval, route it for application group approval (2nd step of approval). Implementation of "Administrative queues" in this setup looks difficult to me.
    Any comment?
    Thanks,

  • User Creation in ORM from OIM

    Hi,
    I am trying to Integrate ORM and OIM in order to do the rolemanagement and provisioning. In my enviornment I am able to move the roles from ORM over to OIM as groups.
    But when I creating the users in the OIM, it does move over to the ORM but insted of getting created in the Organization that I had choosed on the OIM side, it gets created in the "Unassigned Organization" on the ORM. Has any one come across this issue, please let me know, what I need to do in order to fix this issue.
    Thanks&Regards
    Debi

    Go to Rule Designer and create general rule like Role==Consultant.
    It can be anything.
    Go to Group > Manage > Select ur gorp > Drop down > Select membership rule > Select ur Rule created.

  • How to get the group key, which an approval task assign to

    Hi,
    When a user is assign to OIM Group (i.e. from User Detail >> Group Membership form), I will call an approval process (using Access Policy).
    In that approval process, I have defined two tasks.
    1) Assign Approval to Group -> NOT conditional
    2) Remove OIM Group From User -> conditional
    So, from the 1) task, I will assign this approval to a OIM Group.
    If the user click "Approva", a provisioning process will be fired.
    If the user click "Deny" (Reject), 2) task will be run.
    What I want is this.
    From this 2) task, I need to get the "OIM Approval group" key or name (which this approval is assigned to)......
    Note: I need to get this group info in the "Approval Process Task" -> "Integration" -> "Map"
    Regards,
    Chaturanga

    Hi,
    Yes. I have done that.
    Now what I want is this. If the approver "Deny" (Reject) the approval task, I will call another task in the approval process. From that task, I need to run a code, which remove the user from OIM Group.
    So, to do it, I have written a java code and created a adapter. So, as a input parameter for that code, I need to give the approval group name(i.e. the OIM group, above approval task is assign to).
    How can I get the OIM approval group, which the person who Deny the approval belongs to, from this new approval process task???
    Regards,
    Chaturanga

  • Best Approach to create LDAP structure in OID

    We are currently in the process to create LDAP schema and structure in OID 11g. This schema and structure in OID will be then used by Oracle products such as OIM, OES, OAM and others to perform user authentication, coarse grained authorization, fine grained authorizaiton, attribute mappings, etc.
    I wanted to know if there is any Best Practices approach/guidelines we can use to define this schema and structure now so we don't encounter any obstacles and limitations while using OIM, OAM and OES.
    Will appreciate quick response.
    Thanks!

    I understand that the LDAP structure design depends on the business goals and requirements and we are defnitely building the schema in that lines. But the thing we want to make sure is how flexible are the products like OIM, OAM and OES to provide user authentication(if the user is deep down in the tree), authorization (if the user needs to be authorized to services having attributes deep down in the tree), mapping complex relationships and permissions in conjunction with OID.
    I think the other way of asking this question would be what we should take into consideration while designing the LDAP structure in OID as the backend LDAP store and what things we should leave whille designing LDAP structure in OID that could be considered while designing the authentication, authorization process in OIM, OAM and OES.
    Our goal is to keep the LDAP structure simple and flexible but at the sametime use OAM, OES and OIM at their best capabilities to serve our purpose without lot of customizations required.
    Thanks!

Maybe you are looking for

  • Why can't i use full screen on netflix?

    With Firefox, using my MacBook Pro (3 weeks old)I cannot go to full screen when running a movie on Netflix. It worked fine on my older MacBook Pro.The screen goes dark after 2 attempts. However I can go to full screen on Netflix using Safari.

  • ITunes preferences won't save. Please help new user.

    If anyone can help me with this I'd be so grateful. I've looked through the other advice I can find on this forum, and on other sites, and have tried the solutions I've found suggested, but nothing's worked so far. I've tried deleting the preferences

  • My jspx query code doesn't respond

    <?xml version="1.0"?> <jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" xmlns:c="http://java.sun.com/jstl/core" xmlns:sql="http://java.sun.com/jstl/sql"            version="1.2"> <jsp:directive.page contentType="text/html"/> <jsp:directive.page impo

  • 10.2.0.4.0 Means what

    Hi, i want to know that 10.2.0.4.0 means what???? I mean 10---->is what?? 2---->is what?? 0---->is what?? 4---->is what?? 0---->is what?? Thanks in advanced...

  • "Release" in FM/BAPI

    Hi, What is meant by "release" of FM/BAPI? What is "Internally released" and "Externally released" BAPIs? Thanks, Madhu