Regarding Authorization policy and Roles in OIM 11g

Similar Messages

• Authorization Object And Roles For  Functional Consultant

  Dear Expert,
  What kind of respective Authorization Object And Roles would be provided to  Functional Consultant (FI,MM, SD, PM, PS, CO, HR )at the time of implementation ?
  Thanx in advance
  Pavel

  Thanks Juan,
  We now already have it here and in the NW IDM forum a few times as well...
  Cheers,
  Julius

• Custom OWSM Authorization Policy Not Visible in OSB 11g

  I am trying to configure custom OWSM authorization policies to grant web service access in OSB to userids associated with custom WebLogic groups. Both OSB and SOA are version 11.1.1.5 with an Oracle Enterprise 11g database backend. To help rule out some possible operational errors, here are things that ARE working with the combination of SOA and OSB servcies:
  * the underlying SOA service functions in the /em console test page
  * the OSB proxy service works from the /sbconsole test page with OWSM oracle/wss_username_token_policy enabled
  * the oracle/log_policy can be added to the OSB business service and generates log entries
  * the outer proxy service can be successfully invoked from a remote client with no security policies,
  with HTTP transport security and authorization policies and with OWSM authentication policies
  attached (given the correct request payloads)
  These findings would appear to rule out connection errors from the OSB engine to the jdbc/mds/owsm DataSource or proper startup of the "OWSM Policy Support in OSB Initializer Application" service within WebLogic. (By the way, that deploys with a typo in its registered name -- "Aplication" with a single p.)
  Here are the steps that were performed:
  1) created group myfirmIdentityData in WebLogic console (/console)
  2) created userid myappuser in WebLogic console
  3) added myappuser to the myfirmIdentityData group in WebLogic console
  4) cloned the oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData
  using the Fusion console (/em on the SOA domain)
  5) edied myfirm/authorize_IdentityData to add the "role" myfirmIdentityGroup to the
  list of permitted roles (***)
  *** note -- "roles" referenced within the OWSM policy configuration dialogs actually correspond to "groups" at the WebLogic Server level. A bit confusing at first but harmless.
  6) accessed the SOA service in the Fusion console (/em), clicked on the Policies tab and verified
  the myfirm/authorize_IdentityData policy is available for application to the SOA service (BUT DID
  NOT ATTACH IT HERE -- I'm trying to attach it at the "outer" layer in OSB, not SOA Suite)
  7) accessed the Service Bus console (/sbconsole), started a change session, selected the
  proxy service, then clicked on the Policies tab, then clicked the Add button in the
  Service Level Policies section
  At that point, the only services listed are the factory supplied oracle/********* policies. There are two pages listed and flipping between the two doesn't show any other policies other than the oracle/***** policies.
  I even tried stopping and starting the domain thinking maybe OSB caches all of the OWSM policies at startup rather than querying the mds_owsm schema dynamically to no avail. No myfirm/****** policies are displayed after a domain restart.
  Any insight?
  Thanks.

  Once again, I wound up opening a Support Request with the TAC for direction on this issue. The policies were not appearing for assignment to OSB proxy / business services because they were being created against the wrong type of object within OWSM.
  In a nutshell, policies in OWSM can be created to be applied against:
  * Components --- only usable against SOA services
  * Service Endpoints --- against URLs used as access points into services
  * Service Clients -- against consumers of services as identified by credentials
  * All -- all of the above
  However, policies built against Components can only be applied to SOA composite services. When I cloned the existing oracle/component_authorization_permitall Security policy to myfirm/authorize_IdentityData policy then limited it to the myfirmIdentityGroup group, that policy would only be assignable to SOA composities since it applied to only Components.
  To allow the group based authorization policy to be enforced in the outer OSB tier, the oracle/binding_authorization_permitall_policy was cloned to myfirm/authorize_IdentityGroup. That policy was defined to apply to endpoints and once saved, appeared in the GUI of the Service Bus console to assign to the proxy service for the service being implemented. A second component policy named myfirm/componentauthorize_IdentityGroup was cloned from oracle/component_authorize_permitall_policy to perform the group authorization at the SOA layer.
  A different issue is being encountered configuring the OSB business service to forward the OWSM headers from the outer proxy service to the SOA service so the authorization succeeds at the inner layer but that's a different problem. With the SOA layer authorization policy disabled, client tests to the proxy service function correctly with a userid in the myfirmIdentityGroup group and generate an authorization failure when another client credential is used that does not belong to myfirmIdentityGroup.

• Allowed set of characters for user name and password in OIM 11g

  Hi,
  Can anyone provide us quickly what is the characters (no.s,alpahbets,special symbols) that are supported for username and password field in OIM 11.1.1.5 ?
  Thanks,
  Karthik

  Read it , it is general for OIM 11g
  http://docs.oracle.com/cd/E14571_01/relnotes.1111/e10132/oim.htm#CHDFFDGH

• Customize the look and feel of OIM 11g R2 selfsevice page

  Hi All,
  we need to customize the self service UI as per the styles used by client, for eg the background colors, fonts, tab colors, fontcolor etc, I tried doing by configuring skin but the docs say place it in admin.war and cannot find admin.war anywhere.
  Can anyone please help me out? Where to place the trinidad files and my custom css. Also, what will be the high level style classes that I need to override.
  Thanks

  refer the section 30.3 "*Skin Customization in Oracle Identity Manager*" in OIM 11g R2 Developer guide.
  HTH

• Create AD account by adding a Role in oim 11g R2

  Hi everyone,
  When I add a role to user in OIM, AD account of this user is created in AD machine after 10 minutes.
  Why this delay occurs and how can I solve?
  Thanks.
  Best regards.

  Check the frequency of "Evaluate User Policies" Sch task. It should be 10 minutes.
  Change it 2-3 minutes.

• Reassign the task one of the user from part of Role in OIM 11g

  I was looking for any possibility here for one of the requirement.
  One Task is assigned to one user and while reassigning the task, I would like to see only those users are belong to one Particular Role.
  Currently I am able to see all the users present in OIM.
  Any idea/suggestion ?

  OIM allows searching of user on Organization Level only not at role level. We'll have to wait for next release.

• Insconsistence between UI OIM and User.xml  oim 11g r1

  i have a big problem when i try to create a new attribute this is not possible.
  if a try to modify an attribute the error is :
  [2013-05-02T19:37:12.011-05:00] [oim_server1] [ERROR] [] [XELLERATE.DATABASE] [tid: [ACTIVE].ExecuteThread: '15' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: e48b78a1878c940d:274cca72:13e66ef11b6:-8000-000000000000353c,0] [APP: oim#11.1.1.3.0] Class/Method: tcDataBase/writeStatement encounter some problems: ORA-00904: : invalid identifier[[
  java.sql.SQLSyntaxErrorException: ORA-00904: : invalid identifier
       at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:457)
       at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:405)
       at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:889)
       at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:476)
       at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:204)
       at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:540)
       at oracle.jdbc.driver.T4CStatement.doOall8(T4CStatement.java:202)
       at oracle.jdbc.driver.T4CStatement.executeForRows(T4CStatement.java:1074)
       at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1466)
       at oracle.jdbc.driver.OracleStatement.executeUpdateInternal(OracleStatement.java:2123)
  in the user.xml the data is inconsistence with the data showed in the UI OIM , i see data that i dont see in the UI OIM .
  for example: in UI OIM i see that an attribute is created in category x , i cant change the category the attribute so when i export the user.xml i see that the attributte is in other category .
  any idea??

  Go through each of the attributes in your exported User metadata and make sure the length of the fields are same in the UI tag and the MDS tag in the file. Also make sure that all the UDF which you have in USR are present in SDC and there are no duplicates.
  Before this exception, there might be another exception which is thrown from the database layer. Enable logging for XELLERATE.DATABASE and monitor the logs of the queries being fired.
  -Bikash

• Authorization policy by roles

  I have a set of admins who has Role called App Admins. Is it possible to setup up so that only App Admins are allowed to edit users with roles App Users?
  Thanks

  Is it possible to put some kind of validation which calls an adapter to check if the admin who is modifying does have access to modify.
  Thanks

• OIM 11g R1 - Container for Roles

  Hi,
  is it possible to create container for roles?
  For Example:
  Container1: RoleA, RoleB, RoleC
  Container2: RoleV, RoleY, RoleZ
  The reason is, i want to create authorization policies, which allows the user to assign specials roles. The problem is, that a lot of roles will be added during the operation. This means, if a new role will be created, i have to edit the authorization policy
  The best way is, i assign a Role-Container to the authorization policy. If i create a new role, i add the role to the special container.
  Is this possible in OIM 11g R1?
  Edited by: 960944 on Apr 3, 2013 5:18 AM

  Yes, you can do that using authorization policy.
  Try this:
  Create a Role called 'X'
  Create a Authorization Policy of Role Management Entity Type called 'X Role Authz Policy' and under the Permission tab:
  Grant Modify Role Membership, Search for ROle, View Role Detail and View Role Membership
  Under Data Constraints: Add all the roles that a user can self assign except SYS ADMIN role.
  Under Assignemnt: Add Role 'X'
  Save and apply to test it.
  You can have a look at the default Role Management All Users Policy for reference.
  Regards,
  Sunny

• OIM 11g support for Temporary roles with expiration date

  Dear All,
  Is there a support provided for temporary roles in OIM 11g?
  If not, what is the recommendation as for implementation?
  Kind regards
  Maria Adair

  I'm also interested if someone has any recommendation as for how to implement such a feature. Anyone has any ideas?

• OIM 11g Roles/Groups

  Dear All,
  I noticed that 11g version has the ability for end-user to request Roles. What is the difference between Role and Group in OIM 11g?

  In 11g the new definition of an OIM Group = Role.
  -Kevin

• How to obtain Role name in OIM 11g using API's

  Hello,
  I have a scenario in which I create Role/Group in OIM 11g & it gets provisioned in AD [=works fine] & other part is when i delete role in OIM 11g then it should
  get deleted from AD.I have written postprocess event handler to achieve this.
  In role creation part i get all parameters using "orchestration.getParameters();" , but when i delete role then "orchestration.getParameters();" is empty,so i am
  not able to get role name.
  Is there a way to get role name while deleting roles using API ?
  Thanks,
  Rahul Shah

  Hi Raghav,
  Following is my code :
  tcRODetails = orgOpInterface.getObjects(organizationKey);
  for(int i = 0;i < tcRODetails.getRowCount();i++){
  tcRODetails.goToRow(i);
  // resourceName=AD Group
  if(resourceName.equalsIgnoreCase(tcRODetails.getStringValue("Objects.Name"))&&
  tcRODetails.getStringValue("Objects.Object Status.Status").equalsIgnoreCase("Provisioned")||
  tcRODetails.getStringValue("Objects.Object Status.Status").equalsIgnoreCase("Enabled")) {
  System.out.println("<<<FOUND>>>");
  processKey = tcRODetails.getLongValue("Process Instance.Key");
  provisionObjectKey = tcRODetails.getLongValue("Objects.Key");
  tcProcessSet = oimFormUtility.getProcessFormData(processKey);
  for(int j=0;j<tcProcessSet.getRowCount();j++){
  tcProcessSet.goToRow(j);
  if(grpName.equalsIgnoreCase(tcProcessSet.getStringValue("UD_ADGRP_NAME"))){
  System.out.println("MATCH FOUND!!!!!");
  orgOpInterface.removeObjectAllowed(organizationKey,provisionObjectKey);
  break;
  & i get following error :
  <Mar 22, 2012 1:54:43 PM IST> <Error> <XELLERATE.APIS> <BEA-000000> <Class/Method: tcOrganizationOperationsBean/removeObjectAllowed encounter some problems: Object with key=7 is not already set as an allowed object for Organization with key=1>
  Thanks
  Rahul Shah

• OIM 11g R2 - Creating a new role using API

  Hi,
  I am trying to create a new role in OIM 11g R2 using RoleManager API.The requirement is to provide "Role Owner" also while creating the role.May I know how to do that?.Thanks in advance.

                      HashMap <String, String> groupMap = new HashMap <String, String> ();
                      groupMap.put("Groups.Group Name", groupName);
                      groupMap.put("Groups.Role Description", "Just for testing");
                      long groupKey = -1L;
                      try {
                              groupKey = goi.createGroup(groupMap);
                              logger.info("RESULT: Group with group_key '" + groupKey
                                              + "' has been successfully created");
                      } catch (tcAPIException e) {
                              logger.info("Creating client...."+e);
                      } catch (tcDuplicateGroupException ex) {
                           return getGroupKey(goi, groupName);
                              //logger.info(""+ex.toString());
                      } catch (tcInvalidAttributeException er) {
                              logger.info(""+er.toString());
  I hope this really helps you,
  Thiago Leoncio.
  (Blog: thiagoleoncio)

• Custom User Attributes not visible on user profile in OIM 11g

  hi ,
  As I have created a custom attribute in OIM11g. I am not able to view the attribute after I crate a User in OIM.
  Please help me in solving my issue .
  Thanks
  srikanth

  It's a very basic thing. Just try creating an Authorization Policy and you would know how to do it. For your refernce I am also pasting the excerpt from the same Metalink Article
  After creating the UDF, please follow the below steps to make the UDF visible for modification by an admin user:
  1. Navigate to create a new 'Authorization Policy'as below:
  a. Login to UI and click on Administration
  b. On the top left you will see the Authorization Policy tab
  c. Now click on Create Authorization Policy
  2. Please use the below information to create the Authorization Policy
  a. Name: UDF policy
  b. Entity Name: User Management
  c. Permissionsc. Permissions:
  i. Modify User Profile
  ii. View User Profile
  Please make sure that the UDF is selected in the attributes for these permissions.
  d. Data Constraints: All Users
  e. Policy assignment: All Users
  3. Create a user called "useradmin' and add the below 2 roles:
  a. All Users (This is default)
  b. Identity User Administrators (This will provide the administrative tab to this user so that he can administer other users)
  4. Create another end user called 'testuser1' populations the necessary fields.
  5. Now login as 'useradmin'
  6. Search for a user called 'testuser1' and open the user.