OIM 11g: Read Access Policy Data

Hi,

Below is the sample code that I wrote to read the Data of Access Policies that are modified today. The code gives you the assigned role and the Groups provisioned to user by this access policy. In my case, the assigned resource was Oracle Internet Directory. The code uses the OIM 9.x APIs as 11g doesn't provide any API to get the access policies data.

package sample;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Set;
import com.ibm.keymanager.logic.e;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import Thor.API.tcResultSet;
import Thor.API.tcUtilityFactory;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import Thor.API.Operations.tcFormDefinitionOperationsIntf;
import oracle.iam.accesspolicy.vo.PolicyObjectDetails;
import oracle.iam.platform.OIMClient;
public class fetchAccessPolicyData {
 private static final String OIM_URL = "t3://oimhost:oimport";
 private static final String AUTH_CONF = "C:/designconsole/config/authwl.conf";
 private static final String OIM_USERNAME = "xelsysadm";
 private static final String OIM_PASSWORD = "password";
 private static OIMClient oimClient = null;
 Hashtable env = new Hashtable();
 public tcAccessPolicyOperationsIntf moAccesspolicyutility;
 public fetchAccessPolicyData() {
  try {
   env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
     "weblogic.jndi.WLInitialContextFactory");
   env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);
   System.setProperty("java.security.auth.login.config", AUTH_CONF);
   System.setProperty("OIM.AppServerType", "wls");
   System.setProperty("APPSERVER_TYPE", "wls");
   oimClient = new OIMClient(env);
   oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());
  } catch (Exception e) {
   e.printStackTrace();
  }
  return;
 }
 public void getData() {
  try {
  
   tcUtilityFactory ioUtilityFactory = new tcUtilityFactory(env,
     "xelsysadm", "Abcd1234");
   moAccesspolicyutility = (tcAccessPolicyOperationsIntf) ioUtilityFactory
     .getUtility("Thor.API.Operations.tcAccessPolicyOperationsIntf");
   tcFormDefinitionOperationsIntf formOp = (tcFormDefinitionOperationsIntf) ioUtilityFactory
     .getUtility("Thor.API.Operations.tcFormDefinitionOperationsIntf");
   HashMap attributeList = new HashMap();
   attributeList.put("Access Policies.Retrofit Flag", 1);
   tcResultSet result = moAccesspolicyutility
     .findAccessPolicies(attributeList);
   // tcResultSet result =
   // moAccesspolicyutility.getAccessPolicyByResourceName("OID User");
   SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
   Date now = new Date();
   String strDate = sdf.format(now);
   System.out.println("Current Date: " + strDate);
   String policyDate;
   for (int i = 0; i < result.getTotalRowCount(); i++) {
    result.goToRow(i);
    policyDate = result.getStringValue("Access Policies.Update Date");
    if (strDate.compareTo(policyDate) == 0) {
     System.out.println("Access Policy Name :"
       + result.getStringValue("Access Policies.Name"));
     System.out.println("Access Policies.Update Date :"
         + result.getStringValue("Access Policies.Update Date"));
    long policyKey = result.getLongValue("Access Policies.Key");
    tcResultSet policyresult = moAccesspolicyutility
      .getDataSpecifiedFor(policyKey);
    for (int f = 0; f < policyresult.getTotalRowCount(); f++) {
     policyresult.goToRow(f);
     long formKey = policyresult
       .getLongValue("Structure Utility.Key");
     long objectKey = policyresult.getLongValue("Objects.Key");
     tcResultSet groupResult = moAccesspolicyutility
       .getAssignedGroups(policyKey);
     for (int j = 0; j < groupResult.getTotalRowCount(); j++) {
      groupResult.goToRow(j);
     
    // This gives you the Role for which access policy will be triggered.
      System.out.println(groupResult
        .getStringValue("Groups.Group Name") + ",");

      AccessPolicyResourceData policyData = moAccesspolicyutility
        .getDataSpecifiedForObject(policyKey,
          objectKey, formKey);
      HashMap pData = policyData.getChildTables();
      Set s = pData.keySet();
      Iterator it = s.iterator();
      while (it.hasNext()) {
       String tableKey = it.next().toString();
       // System.out.println("tableKey " +tableKey);
       PolicyChildTableRecord[] pChildTableData = policyData
         .getChildTableRecords(tableKey);
       // System.out.println("pChildTableData.length " +
       // pChildTableData.length);
       for (int g = 0; g < pChildTableData.length; g++) {
        String EDRGroupName = pChildTableData[g]
          .getValue("UD_OID_GRP_GROUP_NAME");
        String arrtemp1[] = EDRGroupName.split(",");
        // System.out.println(arrtemp1[0]);
        String arrtemp2[] = arrtemp1[0].split("=");

//This will give you the groups which will be assigned to user account in OID/target resource applicable.
        System.out.print(arrtemp2[1]);
        System.out.println(";");
       }
      }
     }
    }
   }
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
 }
}
References:
http://docs.oracle.com/cd/E17904_01/apirefs.1111/e17334/Thor/API/Operations/tcAccessPolicyOperationsIntf.html
http://docs.oracle.com/cd/E27559_01/apirefs.1112/e28159/com/thortech/xl/vo/AccessPolicyResourceData.html


Thanks

Creating Another OID Account With Superuser Privileges

Hi,

If you want to create a user which has same privileges as superuser cn=orcladmin has, then you need to assign the below privileged groups to the user account. You can query for those groups by searching for entries with "uniquemember=cn=orcladmin" or you can use the information provided below:

dn: cn=OracleDBCreators,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleNetAdmins,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleContextAdmins,cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDomainAdmins,cn=OracleDefaultDomain,cn=OracleDBSecurity,cn=Products,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDBAQUsers, cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=iASAdmins, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=authenticationServices, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=verifierServices, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=UserProxyPrivilege, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASAdminGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASUserPriv, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASConfiguration, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASGroupPriv, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASCreateUser, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASDeleteUser, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASEditUser, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASCreateGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASDeleteGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASEditGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=oraclemanageextendedpreferences, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleResourceAccessGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=ComputerAdmins, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=EmailAdminsGroup,cn=EMailServerContainer,cn=Products,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=UMAdminsGroup,cn=UMContainer,cn=Products,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASServiceAdminGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=OracleDASAccountAdminGroup, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=ASPAdmins, cn=groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=IAS & User Mgmt Application Admins, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=Trusted Applications Admins, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=Common User Attributes, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=Common Group Attributes, cn=Groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=PKIAdmins,cn=groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: cn=CRLAdmins,cn=groups,cn=OracleContext
changetype: modify
add: uniquemember
uniquemember: <>

dn: ccn=OCS_PORTAL_USERS, cn=groups,dc=ftb,dc=ca,dc=gov
changetype: modify
add: uniquemember
uniquemember: <>


Replace the <> with your user account dn and save the above entries in an ldif file and run the ldapmodify command to assing super user like privileges to the user.

Note: If you want the above user account to be able to modify the Schema (ObjectClasses & Attributes) & Security Settings in Oracle Internet Directory, then please add the privilege group also.

dn: cn=DirectoryAdminGroup,cn=oracle internet directory
changetype: modify
add: member
member: <>

References:

http://docs.oracle.com/cd/E12839_01/oid.1111/e10029/oid_susers.htm#CIHDCHHI

Thanks