Creating Access Policy in OIM 11g R2

From 11g R2 onwards, accounts and entitlements can either be revoked or disabled if policy no longer applies. There is no longer an option to leave any option deselected.
 
You have to use the class tcAccessPolicyOperationsIntf.PolicyNLAObjectActionType to specify if you want the entitlements to be revoked or disabled when the access policy is no longer applicable.
 
If you are creating the access policy using the tcAccessPolicyOperationsIntf, then use the below to specify the revoke/disable option for your access policy.
 
static tcAccessPolicyOperationsIntf.PolicyNLAObjectActionType revokeFlag = tcAccessPolicyOperationsIntf.PolicyNLAObjectActionType.REVOKE; 

static tcAccessPolicyOperationsIntf.PolicyNLAObjectActionType disableFlag = tcAccessPolicyOperationsIntf.PolicyNLAObjectActionType.DISABLE;

tcAccessPolicyOperationsIntf.PolicyNLAObjectActionType[] actionIfPolNotApply = {revokeFlag};

moAccesspolicyutility.createAccessPolicy(attr, provObjKeys,                    actionIfPolNotApply, denyObjKeys, groupKeys, policyData);

 
References:
 
http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/accesspolicies.htm

http://docs.oracle.com/cd/E17904_01/apirefs.1111/e17334/Thor/API/Operations/tcAccessPolicyOperationsIntf.html
 

OIM11g: Bulk Load the Data in Access Policies

Hi All,

The requirement for the code that you see below comes from my client who while learning to create access policies asked me below question:

In OIM, you cannot add multiple groups in single iteration to AccessPolicy but you can remove multiple groups. What's the rationale behind this?

Well, I couldn't agree more with him and I have no answer for him and before he could throw any other question or think of asking me to modifying the OIM UI to provide capability to add multiple groups to Access Policy, I told him that I can create a Bulk Data Load Utility which can be used for loading the groups in bulk to access policies and below is the code for that:

package security.provisioning;
import java.io.BufferedReader;
import java.io.FileReader;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import Thor.API.tcResultSet;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.api.RoleManagerConstants.RoleAttributeName;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.platform.Platform;
import oracle.iam.platform.entitymgr.vo.SearchCriteria;
import oracle.iam.scheduler.vo.TaskSupport;
import com.thortech.util.logging.Logger;
public class InitialAccessPolicyLoad extends TaskSupport {
 HashMap> mapping = new HashMap>();
 tcAccessPolicyOperationsIntf moAccesspolicyutility = null;
 private static final Logger logger = Logger.getLogger("SECURITY.EVENTS");
 private static final String CLASS_NAME = "security.provisioning.InitialAccessPolicyLoad : ";
 private static final long formKey = 25;
 private static final long objectKey = 24;
 private static final String tableKey = "22";
 private static final String objName = "OID User";
 private static final String fName = "UD_OID_USR";
 private static final String groupPrefix ="41~cn=";
 private static final String groupSuffix=",cn=Groups,dc=sample,dc=com";
 public void execute(HashMap arg0) {
  final String METHOD_NAME = "execute :: ";
  try {
   logger.debug(CLASS_NAME + METHOD_NAME + "Entering Method - execute");
   // Output File Name
   String inputFileName = arg0.get("Input File Name").toString();
   logger.debug(CLASS_NAME + METHOD_NAME + " Input File Name "
     + inputFileName);
   // Delimiter for EDR Group List
   String ROLE_DELIMITER = arg0.get("List Delimiter").toString();
   logger.debug(CLASS_NAME + METHOD_NAME + " List Delimiter "
     + ROLE_DELIMITER);
   // Delimiter for the Attributes in the Input File
   String FILE_DELIMITER = arg0.get("Field Delimiter").toString();
   logger.debug(CLASS_NAME + METHOD_NAME + " Field Delimiter "
     + FILE_DELIMITER);
   // Read Input File
   BufferedReader buff = new BufferedReader(new FileReader(inputFileName));
   buff.readLine();
   String Line = null; 
   boolean isValidRecord = true;
   String PolicyName = null;
   String RoleName = null;
   String Groups = null;
   ArrayList GroupList = new ArrayList();
   while ((Line = buff.readLine()) != null) {
  
    if (Line.startsWith("#")) {
     isValidRecord = false;
    }
  
    String[] values = Line.split(FILE_DELIMITER);
  
    if (values.length == 1) {
     PolicyName = values[0];
     isValidRecord = false;
    } else if (values.length == 2) {
     PolicyName = values[0];
     RoleName = values[1];
     isValidRecord = false;
    } else if (values.length == 3) {
     isValidRecord = true;
     PolicyName = values[0];
     RoleName = values[1];
     Groups = values[2];
     String[] gList = Groups.split(ROLE_DELIMITER);
     for(int i=0;i      GroupList.add(gList[i]);
     }
    }
  
  
    if (isValidRecord) {
     uploadPolicyData(PolicyName,RoleName,GroupList);
     logger.debug(CLASS_NAME + METHOD_NAME + "ADDING RECORD: " + Line);
    } else {
     logger.debug(CLASS_NAME + METHOD_NAME + "INVALID RECORD: " + Line);
    }
   }
   
   logger.info(CLASS_NAME + METHOD_NAME
     + " Access Policies Data Loaded");
  } catch (Exception e) {
   logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
  }
 }
 public void uploadPolicyData(String PolicyName, String RoleName, ArrayList GroupList) {
  final String METHOD_NAME = "uploadPolicyData :: ";

  try {
   tcAccessPolicyOperationsIntf moAccesspolicyutility = Platform
     .getService(tcAccessPolicyOperationsIntf.class);
   HashMap searchPolicy = new HashMap();
   searchPolicy.put("Access Policies.Name", PolicyName);
   tcResultSet result = moAccesspolicyutility.findAccessPolicies(searchPolicy);
 
   long policyKey = result.getLongValue("Access Policies.Key");
   logger.debug(CLASS_NAME + METHOD_NAME + "Access Policies.Key" +policyKey);
 
   Long roleKey = Long.parseLong(getRoleKey(RoleName));
   long[] roleKeys = { roleKey };
 
   //Add the Role NAME
   moAccesspolicyutility.assignGroups(policyKey, roleKeys);
   logger.info(CLASS_NAME + METHOD_NAME
     + " Role: "+ RoleName +" is attached to the Access Policy: " + PolicyName);
 
   for(int i = 0;i  
    HashMap childTableMap = new HashMap();
    String groupName = groupPrefix+GroupList.get(i)+groupSuffix;
    logger.debug(CLASS_NAME + METHOD_NAME + "OID Group Name: " +groupName);
    childTableMap.put("UD_OID_GRP_GROUP_NAME", groupName);
    AccessPolicyResourceData policyData = new AccessPolicyResourceData(objectKey,objName,formKey,fName,"P");
    PolicyChildTableRecord pChildTableData = policyData.addChildTableRecord(tableKey, "UD_OID_GRP", "Add", childTableMap);
    moAccesspolicyutility.setDataSpecifiedForObject(policyKey, objectKey, formKey, policyData);
    logger.info(CLASS_NAME + METHOD_NAME
      + " Group: "+ GroupList.get(i) +" attached to the Access Policy: " + PolicyName);
   }
  } catch (Exception e) {
   logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
  }
 }


 public String getRoleKey(String roleName) {
  final String METHOD_NAME = "getRoleKey :: ";
  System.out.println(CLASS_NAME + METHOD_NAME
    + "Entering Method - getRoleKey");
  RoleManager rmgr = Platform.getService(RoleManager.class);
  Set retAttrs = new HashSet();
  String roleKey = null;
  try {
   retAttrs.add(RoleAttributeName.DISPLAY_NAME.getId());
   SearchCriteria criteria = null;
   criteria = new SearchCriteria(RoleAttributeName.NAME.getId(),
     roleName, SearchCriteria.Operator.EQUAL);
   List roles = rmgr.search(criteria, retAttrs, null);
   roleKey = roles.get(0).getEntityId();
  } catch (Exception e) {
   logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
  }
  return roleKey;
 }

 // Method to check if  Role exists in OIM or not
 public boolean isRoleExist(String[] roles) {

  String METHOD_NAME = "isRoleExist :: ";
  logger.debug(CLASS_NAME + METHOD_NAME +"Entering Method - isRoleExist");
  boolean roleExist = false;
  boolean roleListEmpty = false;
  if(Arrays.toString(roles).length() == 2) {
   roleListEmpty = true;
  }

  try {
   if (!roleListEmpty) {
   RoleManager rmgr = Platform.getService(RoleManager.class);
   Set retAttrs = new HashSet();
   retAttrs.add(RoleAttributeName.DISPLAY_NAME.getId());
   SearchCriteria criteria = null;
   for (int i = 0; i < roles.length; i++) {
    criteria = new SearchCriteria(RoleAttributeName.NAME.getId(),
      roles[i], SearchCriteria.Operator.EQUAL);
    List role = rmgr.search(criteria, retAttrs, null);
    if (role.size() != 0) {
     roleExist = true;
    } else {
     logger.debug(CLASS_NAME + METHOD_NAME + roles[i]
       + " DOESN'T EXIST IN OIM");
     roleExist = false;
    }
   }
  }
   }catch (Exception e) {
    logger.error(CLASS_NAME + METHOD_NAME + e.getMessage());
  }
  return roleExist;
 }
 public HashMap getAttributes() {
  return null;
 }
 public void setAttributes() {
 }
}
I don't know how easy/hard is to modify the UI to provide the capability but considering this as "Nice To Have" requirement, I think the above solution is good enough. There are couple of things like Checking if OID Group exist or not or update(add & delete) the Groups I might need to add later.

Note: This code is specific to OID Resource and assume that access policy is already created.

 

OIM 11g: Read Access Policy Data

Hi,

Below is the sample code that I wrote to read the Data of Access Policies that are modified today. The code gives you the assigned role and the Groups provisioned to user by this access policy. In my case, the assigned resource was Oracle Internet Directory. The code uses the OIM 9.x APIs as 11g doesn't provide any API to get the access policies data.

package sample;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Set;
import com.ibm.keymanager.logic.e;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import Thor.API.tcResultSet;
import Thor.API.tcUtilityFactory;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import Thor.API.Operations.tcFormDefinitionOperationsIntf;
import oracle.iam.accesspolicy.vo.PolicyObjectDetails;
import oracle.iam.platform.OIMClient;
public class fetchAccessPolicyData {
 private static final String OIM_URL = "t3://oimhost:oimport";
 private static final String AUTH_CONF = "C:/designconsole/config/authwl.conf";
 private static final String OIM_USERNAME = "xelsysadm";
 private static final String OIM_PASSWORD = "password";
 private static OIMClient oimClient = null;
 Hashtable env = new Hashtable();
 public tcAccessPolicyOperationsIntf moAccesspolicyutility;
 public fetchAccessPolicyData() {
  try {
   env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
     "weblogic.jndi.WLInitialContextFactory");
   env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);
   System.setProperty("java.security.auth.login.config", AUTH_CONF);
   System.setProperty("OIM.AppServerType", "wls");
   System.setProperty("APPSERVER_TYPE", "wls");
   oimClient = new OIMClient(env);
   oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());
  } catch (Exception e) {
   e.printStackTrace();
  }
  return;
 }
 public void getData() {
  try {
  
   tcUtilityFactory ioUtilityFactory = new tcUtilityFactory(env,
     "xelsysadm", "Abcd1234");
   moAccesspolicyutility = (tcAccessPolicyOperationsIntf) ioUtilityFactory
     .getUtility("Thor.API.Operations.tcAccessPolicyOperationsIntf");
   tcFormDefinitionOperationsIntf formOp = (tcFormDefinitionOperationsIntf) ioUtilityFactory
     .getUtility("Thor.API.Operations.tcFormDefinitionOperationsIntf");
   HashMap attributeList = new HashMap();
   attributeList.put("Access Policies.Retrofit Flag", 1);
   tcResultSet result = moAccesspolicyutility
     .findAccessPolicies(attributeList);
   // tcResultSet result =
   // moAccesspolicyutility.getAccessPolicyByResourceName("OID User");
   SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
   Date now = new Date();
   String strDate = sdf.format(now);
   System.out.println("Current Date: " + strDate);
   String policyDate;
   for (int i = 0; i < result.getTotalRowCount(); i++) {
    result.goToRow(i);
    policyDate = result.getStringValue("Access Policies.Update Date");
    if (strDate.compareTo(policyDate) == 0) {
     System.out.println("Access Policy Name :"
       + result.getStringValue("Access Policies.Name"));
     System.out.println("Access Policies.Update Date :"
         + result.getStringValue("Access Policies.Update Date"));
    long policyKey = result.getLongValue("Access Policies.Key");
    tcResultSet policyresult = moAccesspolicyutility
      .getDataSpecifiedFor(policyKey);
    for (int f = 0; f < policyresult.getTotalRowCount(); f++) {
     policyresult.goToRow(f);
     long formKey = policyresult
       .getLongValue("Structure Utility.Key");
     long objectKey = policyresult.getLongValue("Objects.Key");
     tcResultSet groupResult = moAccesspolicyutility
       .getAssignedGroups(policyKey);
     for (int j = 0; j < groupResult.getTotalRowCount(); j++) {
      groupResult.goToRow(j);
     
    // This gives you the Role for which access policy will be triggered.
      System.out.println(groupResult
        .getStringValue("Groups.Group Name") + ",");

      AccessPolicyResourceData policyData = moAccesspolicyutility
        .getDataSpecifiedForObject(policyKey,
          objectKey, formKey);
      HashMap pData = policyData.getChildTables();
      Set s = pData.keySet();
      Iterator it = s.iterator();
      while (it.hasNext()) {
       String tableKey = it.next().toString();
       // System.out.println("tableKey " +tableKey);
       PolicyChildTableRecord[] pChildTableData = policyData
         .getChildTableRecords(tableKey);
       // System.out.println("pChildTableData.length " +
       // pChildTableData.length);
       for (int g = 0; g < pChildTableData.length; g++) {
        String EDRGroupName = pChildTableData[g]
          .getValue("UD_OID_GRP_GROUP_NAME");
        String arrtemp1[] = EDRGroupName.split(",");
        // System.out.println(arrtemp1[0]);
        String arrtemp2[] = arrtemp1[0].split("=");

//This will give you the groups which will be assigned to user account in OID/target resource applicable.
        System.out.print(arrtemp2[1]);
        System.out.println(";");
       }
      }
     }
    }
   }
   }
  } catch (Exception e) {
   e.printStackTrace();
  }
 }
}
References:
http://docs.oracle.com/cd/E17904_01/apirefs.1111/e17334/Thor/API/Operations/tcAccessPolicyOperationsIntf.html
http://docs.oracle.com/cd/E27559_01/apirefs.1112/e28159/com/thortech/xl/vo/AccessPolicyResourceData.html


Thanks

Is it Possible to Change the AD Organization Name from an Access Policy?

There is a small confusion in the way access policies work for AD, once an access policy is created and assigned to a group, whenever a user is added to that group, the access policy will be applied to him and AD User resource will be provisioned to him .

Now , if you make an update on the group membership on active directory process form(child form) in the access policy , then it will work and will be updated on the target side, but if you update the Organization name on active directory process form, then it will not be reflected in the target side and in the OIM side.

Now open the Access policy which you created and if you try to change the group membership on active directory process form(child form) in the access policy , then it will work and it will be updated on the target side, but if you update the Organization name on active directory process form,then it will not be reflected in the target side and in the OIM side. Now, one may have a doubt that when a change in the child form is reflected, why does a change in parent form not reflected in the target system .

As per the development the above behaviour is correct , the documentation says "Access policy engine checks if the resource is already provisioned to the user. If it is, then the resource will not be provisioned again. [...] After this, it checks the list of policies being newly added to see if any of them specify child table data for this resource. If they do, then the appropriate child table entries need to be made in the process form for this resource."

This explains why the change in the organization has no effect (resource is not provisioned again) but the change in the child form has an effect (new child table entries are added),so any change in the child form will be reflected but changes to the parent form/organization change will not be reflected.

Regards,
Sunny Ajmera

How To : Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation?

Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation?

Currently policy engine is able to manage life cycle of the resource only if the Resource Object is provisioned via OIM access policy.

If the resource is reconciled, OIM does not retrofit the data of the reconciled resource with the existing access policies. This means that OIM can not manage those users with access policy. This is also true when the users are obtained either through trusted reconciliation or target reconciliation. Please note that OIM has no way of knowing how accounts were created before OIM was deployed.

It is possible that before OIM was integrated with the target, accounts were created directly in the target based on policies, requested or delegated administrator based direct assignment or any other means ( like bulk upload from HR system or some other application or some meta-directory product). OIM cannot start de-provisioning accounts or entitlement assignments only because the new policies defined in OIM would not provision the account/entitlement to the user. Access policies can only do additional entitlement assignment for accounts discovered by recon. Additionally, once new accounts are provisioned from OIM, OIM knows the context for how they were provisioned and so can correctly de-provision accounts based on "revoke if no longer applies" flag.

One way to do this is to cleanse the existing data before integrating into OIM or run manual attestation in OIM to cleanse the data. Once the data is cleansed and uploaded in OIM, from thereon OIM can be configured to manage the accounts.

Regards,
SunShine

How to Delete Access Policy in OIM

The general instructions for removing an Access Policy from a group can be found in the Admin and User Console Guide, Chapter 10 Creating and Managing User Groups. A link to that chapter in the 9.1 version is below:
http://download.oracle.com/docs/cd/E10391_01/doc.910/e10360/usergroups.htm#BACCGCGB

This would remove the policy from the group, but not specifically delete the actual policy itself from the Oracle Identity Manager (OIM) server. There is the existing Enhancement Request Bug 5179943 for providing that complete delete feature and it has been approved for inclusion into the future release of OIM (11g version).