Here is the sample java code to provision groups in OID to user as per the assigned role in OIM. The roles have access policy attached to them.
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.identity.usermgmt.api.UserManager;
import oracle.iam.identity.usermgmt.vo.User;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.Platform;
import Thor.API.tcResultSet;
import Thor.API.tcUtilityFactory;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import Thor.API.Operations.tcFormInstanceOperationsIntf;
import Thor.API.Operations.tcLookupOperationsIntf;
import Thor.API.Operations.tcObjectOperationsIntf;
import Thor.API.Operations.tcUserOperationsIntf;
public class ForceUserProvisioning {
private static final String OIM_URL = "t3s://<>:14001";
private static final String AUTH_CONF = "<>";
private static final String OIM_USERNAME = "<>";
private static final String OIM_PASSWORD = "<>";
private static OIMClient oimClient = null;
Hashtable env = new Hashtable();
private static final String LOOKUP_COLUMN_DECODE = "Lookup Definition.Lookup Code Information.Decode";
public tcAccessPolicyOperationsIntf moAccesspolicyutility;
private tcObjectOperationsIntf objectOp = null;
private tcUserOperationsIntf userOp = null;
private tcFormInstanceOperationsIntf formOp = null;
public ForceUserProvisioning() {
try {
env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
"weblogic.jndi.WLInitialContextFactory");
env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);
System.setProperty("java.security.auth.login.config", AUTH_CONF);
System.setProperty("OIM.AppServerType", "wls");
System.setProperty("APPSERVER_TYPE", "wls");
oimClient = new OIMClient(env);
oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());
} catch (Exception e) {
e.printStackTrace();
}
}
//This method add the groups to the user in OID
public void updateUserGroups(String userLogin) {
try {
HashSet existingUserGroups = new HashSet();
Long userKey = Long.parseLong(getUserKey(userLogin));
userOp = oimClient.getService(tcUserOperationsIntf.class);
objectOp = oimClient.getService(tcObjectOperationsIntf.class);
formOp = oimClient.getService(tcFormInstanceOperationsIntf.class);
tcResultSet userObjects = userOp.getObjects(userKey);
String objName = userObjects.getStringValue("Objects.Name"); // OID User
long procKey = userObjects.getLongValue("Process Instance.Key");
long objKey = userObjects.getLongValue("Objects.Key");
long childFormKey;
long parentformkey = formOp.getProcessFormDefinitionKey(procKey);
int parentformver = formOp.getProcessFormVersion(procKey);
tcResultSet childforms = formOp.getChildFormDefinition(parentformkey, parentformver);
String plChildTableName = childforms.getStringValue("Structure Utility.Table Name");
long formkey = childforms.getLongValue("Structure Utility.Child Tables.Child Key");
tcResultSet childFormData = formOp.getProcessFormChildData(formkey, procKey);
HashSet groupSet = getAccessPolicyMapping(userLogin);
for(int k =0;k childFormData.goToRow(k);
String group = childFormData.getStringValue("UD_OID_GRP_GROUP_NAME");
//Get existing set of groups assigned to the user.
existingUserGroups.add(group);
//This will remove the extra groups which shouldn't be assigned to the user as per the assigned roles.
if(!groupSet.contains(group)) {
System.out.println ("Removing Group " + group);
long plChildFormPrimaryKey = childFormData.getLongValue("UD_OID_GRP_KEY");
formOp.removeProcessFormChildData( formkey, plChildFormPrimaryKey );
}
}
// This add groups as per the roles.
HashSet addGroups = new HashSet(groupSet);
addGroups.removeAll(existingUserGroups);
Iterator itrAdd = addGroups.iterator();
System.out.println(" Add " + addGroups.size());
if(addGroups.size()!=0) {
while(itrAdd.hasNext()) {
String groupName = itrAdd.next().toString();
HashMap groupHash = new HashMap();
groupHash.put("UD_OID_GRP_GROUP_NAME", groupName);
System.out.println(" Add " + groupName);
formOp.addProcessFormChildData(formkey, procKey, groupHash);
}
}
}catch(Exception e) {
e.printStackTrace();
}
}
//Get list of groups that needs to be assigned as per the Access Policy attached to the assigned roles in OIM
public HashSet getAccessPolicyMapping(String userLogin) {
HashSet mappingSet = new HashSet();
try {
tcUtilityFactory ioUtilityFactory = new tcUtilityFactory(env,
OIM_USERNAME, OIM_PASSWORD);
moAccesspolicyutility = (tcAccessPolicyOperationsIntf) ioUtilityFactory
.getUtility("Thor.API.Operations.tcAccessPolicyOperationsIntf");
HashSet roleSet = getUserRoles(userLogin);
System.out.println(" Roles Assigned to the User " + userLogin + " are " + roleSet.toString());
Iterator itr = roleSet.iterator();
while(itr.hasNext()) {
String policyName = itr.next().toString();
HashMap searchPolicy = new HashMap();
searchPolicy.put("Access Policies.Name", policyName);
tcResultSet result = moAccesspolicyutility
.findAccessPolicies(searchPolicy);
HashMap parentFormData = new HashMap();
ArrayList groupList = new ArrayList();
for (int i = 0; i < result.getTotalRowCount(); i++) {
result.goToRow(i);
long policyKey = result.getLongValue("Access Policies.Key");
tcResultSet policyresult = moAccesspolicyutility
.getDataSpecifiedFor(policyKey);
for (int f = 0; f < policyresult.getTotalRowCount(); f++) {
policyresult.goToRow(f);
long formKey = policyresult
.getLongValue("Structure Utility.Key");
long objectKey = policyresult.getLongValue("Objects.Key");
tcResultSet groupResult = moAccesspolicyutility
.getAssignedGroups(policyKey);
for (int j = 0; j < groupResult.getTotalRowCount(); j++) {
groupResult.goToRow(j);
AccessPolicyResourceData policyData = moAccesspolicyutility
.getDataSpecifiedForObject(policyKey,
objectKey, formKey);
HashMap pData = policyData
.getChildTables();
parentFormData= policyData.getFormData();
Set formSet = parentFormData.keySet();
Iterator formIterator = formSet.iterator();
while(formIterator.hasNext()) {
String key = formIterator.next().toString();
}
Set s = pData.keySet();
Iterator it = s.iterator();
while (it.hasNext()) {
String tableKey = it.next().toString();
PolicyChildTableRecord[] pChildTableData = policyData
.getChildTableRecords(tableKey);
for (int g = 0; g < pChildTableData.length; g++) {
String EDRGroupName = pChildTableData[g]
.getValue("UD_OID_GRP_GROUP_NAME");
//System.out.println(EDRGroupName);
mappingSet.add(EDRGroupName);
}
}
}
}
}
}
}catch(Exception e) {
e.printStackTrace();
}
return mappingSet;
}
// This method return set containing roles assigned to the user.
public HashSet getUserRoles(String userLogin) {
HashSet roleSet = new HashSet();
try {
RoleManager rolemanager = oimClient.getService(RoleManager.class);
List groupList = rolemanager
.getUserMemberships(getUserKey(userLogin), false);
for (Role role : groupList) {
roleSet.add(role.getName().trim());
}
}catch(Exception e) {
e.printStackTrace();
}
return roleSet;
}
public HashSet readLookup() {
String lookupDecode = "Lookup.FTB.IgnoreRole";
HashSet filterRoles = new HashSet();
try {
//Read Lookup to Find FilteredRoles
tcLookupOperationsIntf lookupOps = oimClient.getService(tcLookupOperationsIntf.class);
tcResultSet lookupResultSet = lookupOps.getLookupValues(lookupDecode);
for (int i = 0; i < lookupResultSet.getRowCount(); i++) {
lookupResultSet.goToRow(i);
String decode = lookupResultSet.getStringValue(
LOOKUP_COLUMN_DECODE).trim();
filterRoles.add(decode);
}
}catch(Exception e) {
e.printStackTrace();
}
return filterRoles;
}
public String getUserKey(String userLogin) {
UserManager usrMgr = oimClient.getService(UserManager.class);
User user = null;
try {
user = usrMgr.getDetails(userLogin, null, true);
} catch (Exception e) {
e.printStackTrace();
}
return user.getAttribute("usr_key").toString();
}
public static void main(String args[]) throws Exception {
ForceUserProvisioning obj = new ForceUserProvisioning();
obj.updateUserGroups("UserID");
System.out.println("Program Complete");
}
}
Note: I wrote this code for temporary use as in one of the environment, group provisioning via access policy stopped working.
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.identity.usermgmt.api.UserManager;
import oracle.iam.identity.usermgmt.vo.User;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.Platform;
import Thor.API.tcResultSet;
import Thor.API.tcUtilityFactory;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import Thor.API.Operations.tcFormInstanceOperationsIntf;
import Thor.API.Operations.tcLookupOperationsIntf;
import Thor.API.Operations.tcObjectOperationsIntf;
import Thor.API.Operations.tcUserOperationsIntf;
public class ForceUserProvisioning {
private static final String OIM_URL = "t3s://<
private static final String AUTH_CONF = "<
private static final String OIM_USERNAME = "<
private static final String OIM_PASSWORD = "<
private static OIMClient oimClient = null;
Hashtable
private static final String LOOKUP_COLUMN_DECODE = "Lookup Definition.Lookup Code Information.Decode";
public tcAccessPolicyOperationsIntf moAccesspolicyutility;
private tcObjectOperationsIntf objectOp = null;
private tcUserOperationsIntf userOp = null;
private tcFormInstanceOperationsIntf formOp = null;
public ForceUserProvisioning() {
try {
env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
"weblogic.jndi.WLInitialContextFactory");
env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);
System.setProperty("java.security.auth.login.config", AUTH_CONF);
System.setProperty("OIM.AppServerType", "wls");
System.setProperty("APPSERVER_TYPE", "wls");
oimClient = new OIMClient(env);
oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());
} catch (Exception e) {
e.printStackTrace();
}
}
//This method add the groups to the user in OID
public void updateUserGroups(String userLogin) {
try {
HashSet
Long userKey = Long.parseLong(getUserKey(userLogin));
userOp = oimClient.getService(tcUserOperationsIntf.class);
objectOp = oimClient.getService(tcObjectOperationsIntf.class);
formOp = oimClient.getService(tcFormInstanceOperationsIntf.class);
tcResultSet userObjects = userOp.getObjects(userKey);
String objName = userObjects.getStringValue("Objects.Name"); // OID User
long procKey = userObjects.getLongValue("Process Instance.Key");
long objKey = userObjects.getLongValue("Objects.Key");
long childFormKey;
long parentformkey = formOp.getProcessFormDefinitionKey(procKey);
int parentformver = formOp.getProcessFormVersion(procKey);
tcResultSet childforms = formOp.getChildFormDefinition(parentformkey, parentformver);
String plChildTableName = childforms.getStringValue("Structure Utility.Table Name");
long formkey = childforms.getLongValue("Structure Utility.Child Tables.Child Key");
tcResultSet childFormData = formOp.getProcessFormChildData(formkey, procKey);
HashSet groupSet = getAccessPolicyMapping(userLogin);
for(int k =0;k
String group = childFormData.getStringValue("UD_OID_GRP_GROUP_NAME");
//Get existing set of groups assigned to the user.
existingUserGroups.add(group);
//This will remove the extra groups which shouldn't be assigned to the user as per the assigned roles.
if(!groupSet.contains(group)) {
System.out.println ("Removing Group " + group);
long plChildFormPrimaryKey = childFormData.getLongValue("UD_OID_GRP_KEY");
formOp.removeProcessFormChildData( formkey, plChildFormPrimaryKey );
}
}
// This add groups as per the roles.
HashSet addGroups = new HashSet(groupSet);
addGroups.removeAll(existingUserGroups);
Iterator itrAdd = addGroups.iterator();
System.out.println(" Add " + addGroups.size());
if(addGroups.size()!=0) {
while(itrAdd.hasNext()) {
String groupName = itrAdd.next().toString();
HashMap groupHash = new HashMap();
groupHash.put("UD_OID_GRP_GROUP_NAME", groupName);
System.out.println(" Add " + groupName);
formOp.addProcessFormChildData(formkey, procKey, groupHash);
}
}
}catch(Exception e) {
e.printStackTrace();
}
}
//Get list of groups that needs to be assigned as per the Access Policy attached to the assigned roles in OIM
public HashSet getAccessPolicyMapping(String userLogin) {
HashSet
try {
tcUtilityFactory ioUtilityFactory = new tcUtilityFactory(env,
OIM_USERNAME, OIM_PASSWORD);
moAccesspolicyutility = (tcAccessPolicyOperationsIntf) ioUtilityFactory
.getUtility("Thor.API.Operations.tcAccessPolicyOperationsIntf");
HashSet roleSet = getUserRoles(userLogin);
System.out.println(" Roles Assigned to the User " + userLogin + " are " + roleSet.toString());
Iterator itr = roleSet.iterator();
while(itr.hasNext()) {
String policyName = itr.next().toString();
HashMap searchPolicy = new HashMap();
searchPolicy.put("Access Policies.Name", policyName);
tcResultSet result = moAccesspolicyutility
.findAccessPolicies(searchPolicy);
HashMap
ArrayList
for (int i = 0; i < result.getTotalRowCount(); i++) {
result.goToRow(i);
long policyKey = result.getLongValue("Access Policies.Key");
tcResultSet policyresult = moAccesspolicyutility
.getDataSpecifiedFor(policyKey);
for (int f = 0; f < policyresult.getTotalRowCount(); f++) {
policyresult.goToRow(f);
long formKey = policyresult
.getLongValue("Structure Utility.Key");
long objectKey = policyresult.getLongValue("Objects.Key");
tcResultSet groupResult = moAccesspolicyutility
.getAssignedGroups(policyKey);
for (int j = 0; j < groupResult.getTotalRowCount(); j++) {
groupResult.goToRow(j);
AccessPolicyResourceData policyData = moAccesspolicyutility
.getDataSpecifiedForObject(policyKey,
objectKey, formKey);
HashMap
.getChildTables();
parentFormData= policyData.getFormData();
Set
Iterator formIterator = formSet.iterator();
while(formIterator.hasNext()) {
String key = formIterator.next().toString();
}
Set
Iterator
while (it.hasNext()) {
String tableKey = it.next().toString();
PolicyChildTableRecord[] pChildTableData = policyData
.getChildTableRecords(tableKey);
for (int g = 0; g < pChildTableData.length; g++) {
String EDRGroupName = pChildTableData[g]
.getValue("UD_OID_GRP_GROUP_NAME");
//System.out.println(EDRGroupName);
mappingSet.add(EDRGroupName);
}
}
}
}
}
}
}catch(Exception e) {
e.printStackTrace();
}
return mappingSet;
}
// This method return set containing roles assigned to the user.
public HashSet getUserRoles(String userLogin) {
HashSet
try {
RoleManager rolemanager = oimClient.getService(RoleManager.class);
List
.getUserMemberships(getUserKey(userLogin), false);
for (Role role : groupList) {
roleSet.add(role.getName().trim());
}
}catch(Exception e) {
e.printStackTrace();
}
return roleSet;
}
public HashSet
String lookupDecode = "Lookup.FTB.IgnoreRole";
HashSet
try {
//Read Lookup to Find FilteredRoles
tcLookupOperationsIntf lookupOps = oimClient.getService(tcLookupOperationsIntf.class);
tcResultSet lookupResultSet = lookupOps.getLookupValues(lookupDecode);
for (int i = 0; i < lookupResultSet.getRowCount(); i++) {
lookupResultSet.goToRow(i);
String decode = lookupResultSet.getStringValue(
LOOKUP_COLUMN_DECODE).trim();
filterRoles.add(decode);
}
}catch(Exception e) {
e.printStackTrace();
}
return filterRoles;
}
public String getUserKey(String userLogin) {
UserManager usrMgr = oimClient.getService(UserManager.class);
User user = null;
try {
user = usrMgr.getDetails(userLogin, null, true);
} catch (Exception e) {
e.printStackTrace();
}
return user.getAttribute("usr_key").toString();
}
public static void main(String args[]) throws Exception {
ForceUserProvisioning obj = new ForceUserProvisioning();
obj.updateUserGroups("UserID");
System.out.println("Program Complete");
}
}
Note: I wrote this code for temporary use as in one of the environment, group provisioning via access policy stopped working.
