Hi All,
The requirement for the code that you see below comes from my client who while learning to create access policies asked me below question:
In OIM, you cannot add multiple groups in single iteration to AccessPolicy but you can remove multiple groups. What's the rationale behind this?
Well, I couldn't agree more with him and I have no answer for him and before he could throw any other question or think of asking me to modifying the OIM UI to provide capability to add multiple groups to Access Policy, I told him that I can create a Bulk Data Load Utility which can be used for loading the groups in bulk to access policies and below is the code for that:
package security.provisioning;
import java.io.BufferedReader;
import java.io.FileReader;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import Thor.API.tcResultSet;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.api.RoleManagerConstants.RoleAttributeName;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.platform.Platform;
import oracle.iam.platform.entitymgr.vo.SearchCriteria;
import oracle.iam.scheduler.vo.TaskSupport;
import com.thortech.util.logging.Logger;
public class InitialAccessPolicyLoad extends TaskSupport {
HashMap> mapping = new HashMap>();
tcAccessPolicyOperationsIntf moAccesspolicyutility = null;
private static final Logger logger = Logger.getLogger("SECURITY.EVENTS");
private static final String CLASS_NAME = "security.provisioning.InitialAccessPolicyLoad : ";
private static final long formKey = 25;
private static final long objectKey = 24;
private static final String tableKey = "22";
private static final String objName = "OID User";
private static final String fName = "UD_OID_USR";
private static final String groupPrefix ="41~cn=";
private static final String groupSuffix=",cn=Groups,dc=sample,dc=com";
public void execute(HashMap arg0) {
final String METHOD_NAME = "execute :: ";
try {
logger.debug(CLASS_NAME + METHOD_NAME + "Entering Method - execute");
// Output File Name
String inputFileName = arg0.get("Input File Name").toString();
logger.debug(CLASS_NAME + METHOD_NAME + " Input File Name "
+ inputFileName);
// Delimiter for EDR Group List
String ROLE_DELIMITER = arg0.get("List Delimiter").toString();
logger.debug(CLASS_NAME + METHOD_NAME + " List Delimiter "
+ ROLE_DELIMITER);
// Delimiter for the Attributes in the Input File
String FILE_DELIMITER = arg0.get("Field Delimiter").toString();
logger.debug(CLASS_NAME + METHOD_NAME + " Field Delimiter "
+ FILE_DELIMITER);
// Read Input File
BufferedReader buff = new BufferedReader(new FileReader(inputFileName));
buff.readLine();
String Line = null;
boolean isValidRecord = true;
String PolicyName = null;
String RoleName = null;
String Groups = null;
ArrayList GroupList = new ArrayList();
while ((Line = buff.readLine()) != null) {
if (Line.startsWith("#")) {
isValidRecord = false;
}
String[] values = Line.split(FILE_DELIMITER);
if (values.length == 1) {
PolicyName = values[0];
isValidRecord = false;
} else if (values.length == 2) {
PolicyName = values[0];
RoleName = values[1];
isValidRecord = false;
} else if (values.length == 3) {
isValidRecord = true;
PolicyName = values[0];
RoleName = values[1];
Groups = values[2];
String[] gList = Groups.split(ROLE_DELIMITER);
for(int i=0;i GroupList.add(gList[i]);
}
}
if (isValidRecord) {
uploadPolicyData(PolicyName,RoleName,GroupList);
logger.debug(CLASS_NAME + METHOD_NAME + "ADDING RECORD: " + Line);
} else {
logger.debug(CLASS_NAME + METHOD_NAME + "INVALID RECORD: " + Line);
}
}
logger.info(CLASS_NAME + METHOD_NAME
+ " Access Policies Data Loaded");
} catch (Exception e) {
logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
}
}
public void uploadPolicyData(String PolicyName, String RoleName, ArrayList GroupList) {
final String METHOD_NAME = "uploadPolicyData :: ";
try {
tcAccessPolicyOperationsIntf moAccesspolicyutility = Platform
.getService(tcAccessPolicyOperationsIntf.class);
HashMap searchPolicy = new HashMap();
searchPolicy.put("Access Policies.Name", PolicyName);
tcResultSet result = moAccesspolicyutility.findAccessPolicies(searchPolicy);
long policyKey = result.getLongValue("Access Policies.Key");
logger.debug(CLASS_NAME + METHOD_NAME + "Access Policies.Key" +policyKey);
Long roleKey = Long.parseLong(getRoleKey(RoleName));
long[] roleKeys = { roleKey };
//Add the Role NAME
moAccesspolicyutility.assignGroups(policyKey, roleKeys);
logger.info(CLASS_NAME + METHOD_NAME
+ " Role: "+ RoleName +" is attached to the Access Policy: " + PolicyName);
for(int i = 0;i
HashMap childTableMap = new HashMap();
String groupName = groupPrefix+GroupList.get(i)+groupSuffix;
logger.debug(CLASS_NAME + METHOD_NAME + "OID Group Name: " +groupName);
childTableMap.put("UD_OID_GRP_GROUP_NAME", groupName);
AccessPolicyResourceData policyData = new AccessPolicyResourceData(objectKey,objName,formKey,fName,"P");
PolicyChildTableRecord pChildTableData = policyData.addChildTableRecord(tableKey, "UD_OID_GRP", "Add", childTableMap);
moAccesspolicyutility.setDataSpecifiedForObject(policyKey, objectKey, formKey, policyData);
logger.info(CLASS_NAME + METHOD_NAME
+ " Group: "+ GroupList.get(i) +" attached to the Access Policy: " + PolicyName);
}
} catch (Exception e) {
logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
}
}
public String getRoleKey(String roleName) {
final String METHOD_NAME = "getRoleKey :: ";
System.out.println(CLASS_NAME + METHOD_NAME
+ "Entering Method - getRoleKey");
RoleManager rmgr = Platform.getService(RoleManager.class);
Set retAttrs = new HashSet();
String roleKey = null;
try {
retAttrs.add(RoleAttributeName.DISPLAY_NAME.getId());
SearchCriteria criteria = null;
criteria = new SearchCriteria(RoleAttributeName.NAME.getId(),
roleName, SearchCriteria.Operator.EQUAL);
List roles = rmgr.search(criteria, retAttrs, null);
roleKey = roles.get(0).getEntityId();
} catch (Exception e) {
logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
}
return roleKey;
}
// Method to check if Role exists in OIM or not
public boolean isRoleExist(String[] roles) {
String METHOD_NAME = "isRoleExist :: ";
logger.debug(CLASS_NAME + METHOD_NAME +"Entering Method - isRoleExist");
boolean roleExist = false;
boolean roleListEmpty = false;
if(Arrays.toString(roles).length() == 2) {
roleListEmpty = true;
}
try {
if (!roleListEmpty) {
RoleManager rmgr = Platform.getService(RoleManager.class);
Set retAttrs = new HashSet();
retAttrs.add(RoleAttributeName.DISPLAY_NAME.getId());
SearchCriteria criteria = null;
for (int i = 0; i < roles.length; i++) {
criteria = new SearchCriteria(RoleAttributeName.NAME.getId(),
roles[i], SearchCriteria.Operator.EQUAL);
List role = rmgr.search(criteria, retAttrs, null);
if (role.size() != 0) {
roleExist = true;
} else {
logger.debug(CLASS_NAME + METHOD_NAME + roles[i]
+ " DOESN'T EXIST IN OIM");
roleExist = false;
}
}
}
}catch (Exception e) {
logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
}
return roleExist;
}
public HashMap getAttributes() {
return null;
}
public void setAttributes() {
}
}
I don't know how easy/hard is to modify the UI to provide the capability but considering this as "Nice To Have" requirement, I think the above solution is good enough. There are couple of things like Checking if OID Group exist or not or update(add & delete) the Groups I might need to add later.
Note: This code is specific to OID Resource and assume that access policy is already created.
The requirement for the code that you see below comes from my client who while learning to create access policies asked me below question:
In OIM, you cannot add multiple groups in single iteration to AccessPolicy but you can remove multiple groups. What's the rationale behind this?
Well, I couldn't agree more with him and I have no answer for him and before he could throw any other question or think of asking me to modifying the OIM UI to provide capability to add multiple groups to Access Policy, I told him that I can create a Bulk Data Load Utility which can be used for loading the groups in bulk to access policies and below is the code for that:
package security.provisioning;
import java.io.BufferedReader;
import java.io.FileReader;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import Thor.API.tcResultSet;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.api.RoleManagerConstants.RoleAttributeName;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.platform.Platform;
import oracle.iam.platform.entitymgr.vo.SearchCriteria;
import oracle.iam.scheduler.vo.TaskSupport;
import com.thortech.util.logging.Logger;
public class InitialAccessPolicyLoad extends TaskSupport {
HashMap
tcAccessPolicyOperationsIntf moAccesspolicyutility = null;
private static final Logger logger = Logger.getLogger("SECURITY.EVENTS");
private static final String CLASS_NAME = "security.provisioning.InitialAccessPolicyLoad : ";
private static final long formKey = 25;
private static final long objectKey = 24;
private static final String tableKey = "22";
private static final String objName = "OID User";
private static final String fName = "UD_OID_USR";
private static final String groupPrefix ="41~cn=";
private static final String groupSuffix=",cn=Groups,dc=sample,dc=com";
public void execute(HashMap arg0) {
final String METHOD_NAME = "execute :: ";
try {
logger.debug(CLASS_NAME + METHOD_NAME + "Entering Method - execute");
// Output File Name
String inputFileName = arg0.get("Input File Name").toString();
logger.debug(CLASS_NAME + METHOD_NAME + " Input File Name "
+ inputFileName);
// Delimiter for EDR Group List
String ROLE_DELIMITER = arg0.get("List Delimiter").toString();
logger.debug(CLASS_NAME + METHOD_NAME + " List Delimiter "
+ ROLE_DELIMITER);
// Delimiter for the Attributes in the Input File
String FILE_DELIMITER = arg0.get("Field Delimiter").toString();
logger.debug(CLASS_NAME + METHOD_NAME + " Field Delimiter "
+ FILE_DELIMITER);
// Read Input File
BufferedReader buff = new BufferedReader(new FileReader(inputFileName));
buff.readLine();
String Line = null;
boolean isValidRecord = true;
String PolicyName = null;
String RoleName = null;
String Groups = null;
ArrayList
while ((Line = buff.readLine()) != null) {
if (Line.startsWith("#")) {
isValidRecord = false;
}
String[] values = Line.split(FILE_DELIMITER);
if (values.length == 1) {
PolicyName = values[0];
isValidRecord = false;
} else if (values.length == 2) {
PolicyName = values[0];
RoleName = values[1];
isValidRecord = false;
} else if (values.length == 3) {
isValidRecord = true;
PolicyName = values[0];
RoleName = values[1];
Groups = values[2];
String[] gList = Groups.split(ROLE_DELIMITER);
for(int i=0;i
}
}
if (isValidRecord) {
uploadPolicyData(PolicyName,RoleName,GroupList);
logger.debug(CLASS_NAME + METHOD_NAME + "ADDING RECORD: " + Line);
} else {
logger.debug(CLASS_NAME + METHOD_NAME + "INVALID RECORD: " + Line);
}
}
logger.info(CLASS_NAME + METHOD_NAME
+ " Access Policies Data Loaded");
} catch (Exception e) {
logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
}
}
public void uploadPolicyData(String PolicyName, String RoleName, ArrayList
final String METHOD_NAME = "uploadPolicyData :: ";
try {
tcAccessPolicyOperationsIntf moAccesspolicyutility = Platform
.getService(tcAccessPolicyOperationsIntf.class);
HashMap
searchPolicy.put("Access Policies.Name", PolicyName);
tcResultSet result = moAccesspolicyutility.findAccessPolicies(searchPolicy);
long policyKey = result.getLongValue("Access Policies.Key");
logger.debug(CLASS_NAME + METHOD_NAME + "Access Policies.Key" +policyKey);
Long roleKey = Long.parseLong(getRoleKey(RoleName));
long[] roleKeys = { roleKey };
//Add the Role NAME
moAccesspolicyutility.assignGroups(policyKey, roleKeys);
logger.info(CLASS_NAME + METHOD_NAME
+ " Role: "+ RoleName +" is attached to the Access Policy: " + PolicyName);
for(int i = 0;i
HashMap
String groupName = groupPrefix+GroupList.get(i)+groupSuffix;
logger.debug(CLASS_NAME + METHOD_NAME + "OID Group Name: " +groupName);
childTableMap.put("UD_OID_GRP_GROUP_NAME", groupName);
AccessPolicyResourceData policyData = new AccessPolicyResourceData(objectKey,objName,formKey,fName,"P");
PolicyChildTableRecord pChildTableData = policyData.addChildTableRecord(tableKey, "UD_OID_GRP", "Add", childTableMap);
moAccesspolicyutility.setDataSpecifiedForObject(policyKey, objectKey, formKey, policyData);
logger.info(CLASS_NAME + METHOD_NAME
+ " Group: "+ GroupList.get(i) +" attached to the Access Policy: " + PolicyName);
}
} catch (Exception e) {
logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
}
}
public String getRoleKey(String roleName) {
final String METHOD_NAME = "getRoleKey :: ";
System.out.println(CLASS_NAME + METHOD_NAME
+ "Entering Method - getRoleKey");
RoleManager rmgr = Platform.getService(RoleManager.class);
Set
String roleKey = null;
try {
retAttrs.add(RoleAttributeName.DISPLAY_NAME.getId());
SearchCriteria criteria = null;
criteria = new SearchCriteria(RoleAttributeName.NAME.getId(),
roleName, SearchCriteria.Operator.EQUAL);
List
roleKey = roles.get(0).getEntityId();
} catch (Exception e) {
logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
}
return roleKey;
}
// Method to check if Role exists in OIM or not
public boolean isRoleExist(String[] roles) {
String METHOD_NAME = "isRoleExist :: ";
logger.debug(CLASS_NAME + METHOD_NAME +"Entering Method - isRoleExist");
boolean roleExist = false;
boolean roleListEmpty = false;
if(Arrays.toString(roles).length() == 2) {
roleListEmpty = true;
}
try {
if (!roleListEmpty) {
RoleManager rmgr = Platform.getService(RoleManager.class);
Set
retAttrs.add(RoleAttributeName.DISPLAY_NAME.getId());
SearchCriteria criteria = null;
for (int i = 0; i < roles.length; i++) {
criteria = new SearchCriteria(RoleAttributeName.NAME.getId(),
roles[i], SearchCriteria.Operator.EQUAL);
List
if (role.size() != 0) {
roleExist = true;
} else {
logger.debug(CLASS_NAME + METHOD_NAME + roles[i]
+ " DOESN'T EXIST IN OIM");
roleExist = false;
}
}
}
}catch (Exception e) {
logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
}
return roleExist;
}
public HashMap getAttributes() {
return null;
}
public void setAttributes() {
}
}
I don't know how easy/hard is to modify the UI to provide the capability but considering this as "Nice To Have" requirement, I think the above solution is good enough. There are couple of things like Checking if OID Group exist or not or update(add & delete) the Groups I might need to add later.
Note: This code is specific to OID Resource and assume that access policy is already created.
No comments:
Post a Comment