Thursday, January 16, 2014

ADF_FACES-60096:Server Exception during PPR" when trying to open 'View Members' tab

Symptoms

Created a new role in OIM and an authorization policy under 'Role Management' for this role. This policy has three permissions: View_Role_Membership, Search_for_Role and View_Role_Detail. When login as a user (who has this role assigned), they are able to search for role and view its details. But when trying to open 'View Members' tab, it throws an ADF exception (java.lang.NullPointerException).
OIM log shows the following:

[oim_server1] [ERROR] [] [oracle.adfinternal.view.faces.config.rich.RegistrationConfigurator] [tid: [ACTIVE].ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: ACCESSRIGHTAMINUSER] [ecid: e106ac6f78fd3267:21d3f052:139953cbc8f:-8000-0000000000001e3f,0] [APP: oim#11.1.1.3.0] ADF_FACES-60096:Server Exception during PPR, #1[[
javax.el.ELException: java.lang.NullPointerException
 at com.sun.el.parser.AstValue.invoke(Unknown Source)
 at com.sun.el.MethodExpressionImpl.invoke(Unknown Source)
 at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodExpression(UIXComponentBase.java:1300)
 at org.apache.myfaces.trinidad.component.UIXShowDetail.broadcast(UIXShowDetail.java:154)
Root Cause:
The root cause is missing permissions for the end user to search the organization details.
 
Solution

1. Login as System Administrator
 2. Go to Administration and search for the organization.
 3. Open the organization details.
 4. Click "Administrative Roles".
 5. Click "Assign".
 6. Choose either "ALL USERS" or your custom role, set the permissions as you wish and click "Assign".

References:

Doc ID 1491104.1
Posted by at 1 comment:
Labels: , , ,

Friday, January 10, 2014

Provisioning OID Groups to User as Per Assigned Roles in OIM

Here is the sample java code to provision groups in OID to user as per the assigned role in OIM. The roles have access policy attached to them.


import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.identity.usermgmt.api.UserManager;
import oracle.iam.identity.usermgmt.vo.User;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.Platform;
import Thor.API.tcResultSet;
import Thor.API.tcUtilityFactory;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import Thor.API.Operations.tcFormInstanceOperationsIntf;
import Thor.API.Operations.tcLookupOperationsIntf;
import Thor.API.Operations.tcObjectOperationsIntf;
import Thor.API.Operations.tcUserOperationsIntf;
public class ForceUserProvisioning {
 private static final String OIM_URL = "t3s://<>:14001";
 private static final String AUTH_CONF = "<>";
 private static final String OIM_USERNAME = "<>";
 private static final String OIM_PASSWORD = "<>";
 private static OIMClient oimClient = null;
 Hashtable env = new Hashtable();
 private static final String LOOKUP_COLUMN_DECODE = "Lookup Definition.Lookup Code Information.Decode";
 public tcAccessPolicyOperationsIntf moAccesspolicyutility;
 private tcObjectOperationsIntf objectOp = null;
 private tcUserOperationsIntf userOp = null;
 private tcFormInstanceOperationsIntf formOp = null;
 public ForceUserProvisioning() {
  try {
   env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
     "weblogic.jndi.WLInitialContextFactory");
   env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);
   System.setProperty("java.security.auth.login.config", AUTH_CONF);
   System.setProperty("OIM.AppServerType", "wls");
   System.setProperty("APPSERVER_TYPE", "wls");
   oimClient = new OIMClient(env);
   oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());
  } catch (Exception e) {
   e.printStackTrace();
  }
 }

//This method add the groups to the user in OID
 public void updateUserGroups(String userLogin) {
  try {
   HashSet existingUserGroups = new HashSet();
   Long userKey = Long.parseLong(getUserKey(userLogin));
   userOp = oimClient.getService(tcUserOperationsIntf.class);
   objectOp = oimClient.getService(tcObjectOperationsIntf.class);
   formOp = oimClient.getService(tcFormInstanceOperationsIntf.class);
   tcResultSet userObjects = userOp.getObjects(userKey);
            String objName = userObjects.getStringValue("Objects.Name"); // OID User 
            long procKey = userObjects.getLongValue("Process Instance.Key"); 
            long  objKey = userObjects.getLongValue("Objects.Key"); 
            long  childFormKey;
            long parentformkey = formOp.getProcessFormDefinitionKey(procKey); 
            int parentformver = formOp.getProcessFormVersion(procKey); 
            tcResultSet childforms = formOp.getChildFormDefinition(parentformkey, parentformver); 
            String plChildTableName = childforms.getStringValue("Structure Utility.Table Name"); 
            long formkey = childforms.getLongValue("Structure Utility.Child Tables.Child Key"); 
            tcResultSet childFormData = formOp.getProcessFormChildData(formkey, procKey); 
            HashSet groupSet =  getAccessPolicyMapping(userLogin);
            for(int k =0;k             childFormData.goToRow(k);
             String group = childFormData.getStringValue("UD_OID_GRP_GROUP_NAME");

//Get existing set of groups assigned to the user.
             existingUserGroups.add(group);

//This will remove the extra groups which shouldn't be assigned to the user as per the assigned roles.

             if(!groupSet.contains(group)) {
              System.out.println ("Removing Group " + group);
             long plChildFormPrimaryKey = childFormData.getLongValue("UD_OID_GRP_KEY");
             formOp.removeProcessFormChildData( formkey, plChildFormPrimaryKey );
             }
            }       

// This add groups as per the roles.
     
             HashSet addGroups = new HashSet(groupSet);
             addGroups.removeAll(existingUserGroups);
             Iterator itrAdd = addGroups.iterator();
             System.out.println(" Add " + addGroups.size());
             if(addGroups.size()!=0) {
             while(itrAdd.hasNext()) {
              String groupName = itrAdd.next().toString();
              HashMap groupHash = new HashMap(); 
              groupHash.put("UD_OID_GRP_GROUP_NAME", groupName); 
              System.out.println(" Add " + groupName);
            formOp.addProcessFormChildData(formkey, procKey, groupHash);
             }
             }         
  }catch(Exception e) {
   e.printStackTrace();
  }
 }

//Get list of groups that needs to be assigned as per the Access Policy attached to the assigned roles in OIM

 public HashSet getAccessPolicyMapping(String userLogin) {
  HashSet mappingSet = new HashSet();
  try {
   tcUtilityFactory ioUtilityFactory = new tcUtilityFactory(env,
     OIM_USERNAME, OIM_PASSWORD);
   moAccesspolicyutility = (tcAccessPolicyOperationsIntf) ioUtilityFactory
   .getUtility("Thor.API.Operations.tcAccessPolicyOperationsIntf");
   HashSet roleSet = getUserRoles(userLogin);
   System.out.println(" Roles Assigned to the User " + userLogin + " are " + roleSet.toString());
   Iterator itr = roleSet.iterator();
   while(itr.hasNext()) {
    String policyName = itr.next().toString();
    HashMap searchPolicy = new HashMap();
    searchPolicy.put("Access Policies.Name", policyName);
    tcResultSet result = moAccesspolicyutility
      .findAccessPolicies(searchPolicy);
    HashMap parentFormData = new HashMap();
    ArrayList groupList = new ArrayList();
    for (int i = 0; i < result.getTotalRowCount(); i++) {
     result.goToRow(i);
     long policyKey = result.getLongValue("Access Policies.Key");
     tcResultSet policyresult = moAccesspolicyutility
       .getDataSpecifiedFor(policyKey);
     for (int f = 0; f < policyresult.getTotalRowCount(); f++) {
      policyresult.goToRow(f);
      long formKey = policyresult
        .getLongValue("Structure Utility.Key");
      long objectKey = policyresult.getLongValue("Objects.Key");
      tcResultSet groupResult = moAccesspolicyutility
        .getAssignedGroups(policyKey);
      for (int j = 0; j < groupResult.getTotalRowCount(); j++) {
       groupResult.goToRow(j);
       AccessPolicyResourceData policyData = moAccesspolicyutility
         .getDataSpecifiedForObject(policyKey,
           objectKey, formKey);
       HashMap pData = policyData
         .getChildTables();
       parentFormData= policyData.getFormData();
       Set formSet = parentFormData.keySet();
       Iterator formIterator = formSet.iterator();
       while(formIterator.hasNext()) {
        String key = formIterator.next().toString();
       }
       Set s = pData.keySet();
       Iterator it = s.iterator();
       while (it.hasNext()) {
        String tableKey = it.next().toString();
        PolicyChildTableRecord[] pChildTableData = policyData
          .getChildTableRecords(tableKey);
        for (int g = 0; g < pChildTableData.length; g++) {
         String EDRGroupName = pChildTableData[g]
           .getValue("UD_OID_GRP_GROUP_NAME");
         //System.out.println(EDRGroupName);
         mappingSet.add(EDRGroupName);
        
        }
       }
      }
     }
    }
   }
  }catch(Exception e) {
   e.printStackTrace();
  }
  return mappingSet;
 }
 
// This method return set containing roles assigned to the user.

 public HashSet getUserRoles(String userLogin) {
  HashSet roleSet = new HashSet();
  try {
   RoleManager rolemanager = oimClient.getService(RoleManager.class);
   List groupList = rolemanager
   .getUserMemberships(getUserKey(userLogin), false);
   for (Role role : groupList) {
    roleSet.add(role.getName().trim());
   }
  }catch(Exception e) {
   e.printStackTrace();
  }
  return roleSet;
 }

 public HashSet readLookup() {
  String lookupDecode = "Lookup.FTB.IgnoreRole";
  HashSet filterRoles = new HashSet();
  try {
  //Read Lookup to Find FilteredRoles
  tcLookupOperationsIntf lookupOps = oimClient.getService(tcLookupOperationsIntf.class);
  tcResultSet lookupResultSet = lookupOps.getLookupValues(lookupDecode);
  for (int i = 0; i < lookupResultSet.getRowCount(); i++) {
   lookupResultSet.goToRow(i);
   String decode = lookupResultSet.getStringValue(
     LOOKUP_COLUMN_DECODE).trim();
   filterRoles.add(decode);
  }
  }catch(Exception e) {
   e.printStackTrace();
  }
  return filterRoles;
 }

 public String getUserKey(String userLogin) {
  UserManager usrMgr = oimClient.getService(UserManager.class);
  User user = null;
  try {
   user = usrMgr.getDetails(userLogin, null, true);
  } catch (Exception e) {
   e.printStackTrace();
  }
  return user.getAttribute("usr_key").toString();
 }

 
  public static void main(String args[]) throws Exception {
   ForceUserProvisioning obj = new ForceUserProvisioning(); 
   obj.updateUserGroups("UserID");
   System.out.println("Program Complete");
  }
 }

Note: I wrote this code for temporary use as in one of the environment, group provisioning via access policy stopped working.
Posted by at No comments:
Labels: , , , , , , , ,

OIM Audit Table: Sample Queries to Find Who did What and When

Here are few sample queries provided by Oracle to find who did what and when:

List the last change set for user with usr_key where the changes are represented  in a relational format:


SELECT usr_key,   usr_login as changed_by_user,  upa_usr.upa_usr_eff_from_date AS changed_time,   field_name,   field_old_value,   field_new_value
 FROM upa_usr, upa_fields,   (SELECT field_new_value AS changed_by_user    FROM upa_fields
   WHERE upa_fields_key =  (SELECT MAX(upa_fields_key)      FROM upa_fields, upa_usr
     WHERE upa_usr.upa_usr_key = upa_fields.upa_usr_key
     AND upa_usr.usr_key = <>
     AND upa_fields.field_name ='Users.Updated By Login'
     )
   )
 WHERE upa_usr.upa_usr_key = upa_fields.upa_usr_key
 AND upa_usr.usr_key = <>;


References:

Posted by at 1 comment:
Labels: , , , , , , ,

Java Code to Add Entry in Lookup & Display Lookup Values

Here is the same java code to add entry in existing OIM Lookup and display all the Values from an existing OIM Lookup

import java.util.HashMap;
import java.util.Hashtable;
import oracle.iam.platform.OIMClient;
import Thor.API.tcResultSet;
import Thor.API.Operations.tcLookupOperationsIntf;
public class UpdateLookup {

 private static final String OIM_URL = "t3s://<>:14001";
 private static final String AUTH_CONF = "<< Path of authwl.conf >>";
 private static final String OIM_USERNAME = "<< UserID >>";
 private static final String OIM_PASSWORD = "<< Password >>";
 private static OIMClient oimClient = null;
 Hashtable env = new Hashtable();
 public UpdateLookup() {
  try {
   env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
     "weblogic.jndi.WLInitialContextFactory");
   env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);
   System.setProperty("java.security.auth.login.config", AUTH_CONF);
   System.setProperty("OIM.AppServerType", "wls");
   System.setProperty("APPSERVER_TYPE", "wls");
   oimClient = new OIMClient(env);
   oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());
  } catch (Exception e) {
   e.printStackTrace();
  }
 }
 public void addLookupEntry(String LookupCode,String Lookup) {
  try {
   tcLookupOperationsIntf lookupOps = oimClient
     .getService(tcLookupOperationsIntf.class);
   lookupOps.addLookupValue("<>", LookupKey,
     LookupValue, "", "");
  } catch (Exception e) {
   e.printStackTrace();
  }
 }

 public void displayLookup(String lookupname) {
  try {
   tcLookupOperationsIntf lookupOps = oimClient
     .getService(tcLookupOperationsIntf.class);
   tcResultSet values = lookupOps.getLookupValues(lookupname);
   for (int i = 0; i < values.getRowCount(); i++) {
    values.goToRow(i);
    System.out
      .print(values
        .getStringValue("Lookup Definition.Lookup Code Information.Decode"));
    System.out
      .println(","
        + values.getStringValue("Lookup Definition.Lookup Code Information.Code Key"));
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
 }
 public static void main(String args[]) {
   UpdateLookup obj = new UpdateLookup();
   obj.addLookupEntry("LookupKey","LookupValue");
   obj.displayLookup("LookupName");
 }
}

Reference:

http://docs.oracle.com/cd/E17904_01/apirefs.1111/e17334/toc.htm

Posted by at 1 comment:
Labels: , , , , , , , , ,

Java Code to Create OIM 11g R1 Role Category

Here is the sample java code to create role cateogry in OIM 11gR1:


import java.util.HashMap;
import java.util.Hashtable;
import oracle.iam.identity.rolemgmt.api.RoleCategoryManager;
import oracle.iam.identity.rolemgmt.vo.RoleCategory;
import oracle.iam.identity.rolemgmt.vo.RoleManagerResult;
import oracle.iam.platform.OIMClient;

public class CreateRoleCategory {

 private static final String OIM_URL = "t3s://<>:14001";
 private static final String AUTH_CONF = "<< Path of authwl.conf File >>";
 private static final String OIM_USERNAME = "<< UserID >>";
 private static final String OIM_PASSWORD = "<< Password >>";
 private static OIMClient oimClient = null;
 Hashtable env = new Hashtable();

 public CreateRoleCategory() {
  try {
   env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
     "weblogic.jndi.WLInitialContextFactory");
   env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);
   System.setProperty("java.security.auth.login.config", AUTH_CONF);
   System.setProperty("OIM.AppServerType", "wls");
   System.setProperty("APPSERVER_TYPE", "wls");
   oimClient = new OIMClient(env);
   oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());
  } catch (Exception e) {
   e.printStackTrace();
  }
 }

 public void createCategory(String categoryName, String categoryDescription) {
  try {
   RoleCategoryManager rmgr = oimClient.getService(RoleCategoryManager.class);
   RoleCategory rcategory = new RoleCategory(categoryName);
   rcategory.setDescription(categoryDescription);
   rcategory.setName(categoryName);
   RoleManagerResult result = rmgr.create(rcategory);   System.out.println(" Role Category " + categoryName + " Status " + result.getStatus());
  }catch(Exception e) {
   e.printStackTrace();
  }
 }

 public  static void main(String args[]) {
  try {
   CreateRoleCategory obj = new CreateRoleCategory();
   obj.createCategory("CategoryName","CategoryDescription");
  }catch(Exception e) {
   e.printStackTrace();
  }
 }
}

References:

http://docs.oracle.com/cd/E17904_01/apirefs.1111/e17334/toc.htm


Posted by at No comments:
Labels: , , , , , ,

Java Code to Search Active Directory on LDAPS

Here is the sample java code to search Active Directory for user information.

import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
 
public class searchActiveDirectory {
 public void getUserDetails() {

  Hashtable env = new Hashtable();
  String adminName = "<<DN of the Admin Account>>";
  String adminPassword = "<<Password of Admin Account>>";
  String ldapURL = "ldaps://<<ADHost>>:636";
  String keystore = "<>";
  String searchBase = "<<Base DN>>";
  System.setProperty("javax.net.ssl.trustStore", keystore);
  env.put(Context.INITIAL_CONTEXT_FACTORY,
    "com.sun.jndi.ldap.LdapCtxFactory");
  
// set security credentials
  env.put(Context.SECURITY_AUTHENTICATION, "simple");
  env.put(Context.SECURITY_PRINCIPAL, adminName);
  env.put(Context.SECURITY_CREDENTIALS, adminPassword);
  // specify use of ssl
  env.put(Context.SECURITY_PROTOCOL, "ssl");
  // connect to my domain controller
  env.put(Context.PROVIDER_URL, ldapURL);
  try {
   // Create the initial directory context
   DirContext ctx = new InitialLdapContext(env, null);

   // Create the search controls
   SearchControls searchCtls = new SearchControls();

   // Specify the attributes to return
   String returnedAtts[] = { "sAMAccountName", "sn", "givenName",
     "mail", "description", "userAccountControl","whenCreated","distinguishedName" };
   searchCtls.setReturningAttributes(returnedAtts);
   // Specify the search scope
   searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);

   // specify the LDAP search filter
   //String searchFilter = "(&(objectClass=user)(sAMAccountName="+username+"))";
   String searchFilter = "(&(objectClass=user)(!(objectClass=computer))(whenCreated>=20131227000000.0Z))";

   // Search for objects using the filter
   NamingEnumeration answer = ctx.search(searchBase, searchFilter,
     searchCtls);

   // Loop through the search results
   while (answer.hasMoreElements()) {
    SearchResult sr = (SearchResult) answer.next();
    Attributes attrs = sr.getAttributes();
    if (attrs != null) {
     try {
      System.out.println(attrs.get("sAMAccountName").get()+","+attrs.get("whenCreated").get());
      System.out.println(attrs.get("distinguishedName"));
     } catch (NullPointerException e) {
      System.out.println("Errors listing attributes: " + e);
     }
    }
   }
   ctx.close();
  } catch (NamingException e) {
   System.err.println("Problem searching directory: " + e);
  }
 }

 public static void main(String[] args) throws Exception{
  searchActiveDirectory s = new searchActiveDirectory();
  s.getUserDetails(); 
 }
}
Posted by at No comments:
Labels: , , , , ,

Oracle Identity Manager 11gR2PS1 (11.1.2.1) Database Schema Documentation

Here is the Doc ID to find the Oracle Identity Manager 11gR2PS1 (11.1.2.1) Database Schema Documentation

Doc ID 1541858.1
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)