From 11g R2 onwards, accounts and entitlements can either be revoked or disabled if policy no longer applies. There is no longer an option to leave any option deselected.
You have to use the class tcAccessPolicyOperationsIntf.PolicyNLAObjectActionType to specify if you want the entitlements to be revoked or disabled when the access policy is no longer applicable.
If you are creating the access policy using the tcAccessPolicyOperationsIntf, then use the below to specify the revoke/disable option for your access policy.
static tcAccessPolicyOperationsIntf.PolicyNLAObjectActionType revokeFlag = tcAccessPolicyOperationsIntf.PolicyNLAObjectActionType.REVOKE;
static tcAccessPolicyOperationsIntf.PolicyNLAObjectActionType disableFlag = tcAccessPolicyOperationsIntf.PolicyNLAObjectActionType.DISABLE;
tcAccessPolicyOperationsIntf.PolicyNLAObjectActionType[] actionIfPolNotApply = {revokeFlag};
moAccesspolicyutility.createAccessPolicy(attr, provObjKeys, actionIfPolNotApply, denyObjKeys, groupKeys, policyData);
References:
http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/accesspolicies.htm
http://docs.oracle.com/cd/E17904_01/apirefs.1111/e17334/Thor/API/Operations/tcAccessPolicyOperationsIntf.html
Here is the sample code to create access policies using JAVA APIs:
package junit.accesspolicy;
import java.io.BufferedReader;
import java.io.FileReader;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import com.thortech.xl.vo.AccessPolicyResourceData;
import com.thortech.xl.vo.PolicyChildTableRecord;
import oracle.iam.identity.rolemgmt.api.RoleManager;
import oracle.iam.identity.rolemgmt.api.RoleManagerConstants.RoleAttributeName;
import oracle.iam.identity.rolemgmt.vo.Role;
import oracle.iam.platform.OIMClient;
import oracle.iam.platform.Platform;
import oracle.iam.platform.entitymgr.vo.SearchCriteria;
import Thor.API.tcResultSet;
import Thor.API.Operations.tcAccessPolicyOperationsIntf;
import Thor.API.Operations.tcFormDefinitionOperationsIntf;
import Thor.API.Operations.tcITResourceInstanceOperationsIntf;
import Thor.API.Operations.tcObjectOperationsIntf;
public class createAccessPolicy { private static final String OIM_URL = "t3s://host:port";
private static final String AUTH_CONF = "C:/designconsole/config/authwl.conf";
private static final String OIM_USERNAME = "<>";
private static final String OIM_PASSWORD = "<>;
private static OIMClient oimClient = null;
Hashtable env = new Hashtable();
HashMap> mapping = new HashMap>();
public tcAccessPolicyOperationsIntf moAccesspolicyutility; private static final String objName = "OID User"; //Object Name private static final String fParentName = "UD_OID_USR"; // Parent Process Form
private static final String fChildName = "UD_OID_GRP"; // Child Process Form
private static final String ITResourceName = "OID Server"; // IT Resource
private static final String groupSuffix = ",cn=Groups,<>"; // Group DN
public createAccessPolicy() {
try {
env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL,
"weblogic.jndi.WLInitialContextFactory");
env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);
System.setProperty("java.security.auth.login.config", AUTH_CONF);
System.setProperty("OIM.AppServerType", "wls");
System.setProperty("APPSERVER_TYPE", "wls");
oimClient = new OIMClient(env);
oimClient.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());
} catch (Exception e) {
e.printStackTrace();
}
return;
}
public void PolicyCreation(String policyName, String[] groups) {
try {
tcAccessPolicyOperationsIntf moAccesspolicyutility = oimClient
.getService(tcAccessPolicyOperationsIntf.class);
System.out.println(policyName);
HashMap attr = new HashMap(); attr.put("Access Policies.Name", policyName); // Policy Name
attr.put("Access Policies.Description", policyName); // Description same as Policy Name
attr.put("Access Policies.Retrofit Flag", "1"); // Retrofit Flag
attr.put("Access Policies.By Request", "0"); // Without Approval
Long objKey = findObjectKey();
long[] provObjKeys = { objKey }; //Object Key of Resource to be provisioned
boolean[] revokeObgIsNotApply = { true }; //Revoke If No Longer Applies Flag
long[] denyObjKeys = {}; //Object key of Resource to be denied
Long roleKey = Long.parseLong(getRoleKey(policyName)); // Role attached to the Policy
long[] groupKeys = { roleKey }; //In my case, Policy Name is same as Role Name String groupPrefix = findITResourceKey() + "~cn=";
//Populate Parent Form Data
HashMap parentFormData = new HashMap();
parentFormData.put("UD_OID_USR_SERVER",findITResourceKey());
parentFormData.put("UD_OID_USR_ORG_DN",findITResourceKey()+"~users");
parentFormData.put("UD_OID_USR_PREF_LANG","en");
int groupLength = groups.length;
//Populate Child Form Data
AccessPolicyResourceData policyData[] = new AccessPolicyResourceData[groupLength+1];
for (int i = 0; i < groupLength; i++) {
String groupName = groupPrefix + groups[i].trim() + groupSuffix;
System.out.println(groupName);
policyData[i] = new AccessPolicyResourceData(findObjectKey(),
objName, findParentFormKey(), fParentName, "P");
HashMap childTableMap = new HashMap();
childTableMap.put("UD_OID_GRP_GROUP_NAME", groupName);
policyData[i] = new AccessPolicyResourceData(findObjectKey(),
objName, findParentFormKey(), fParentName, "P");
PolicyChildTableRecord pChildTableData = policyData[i]
.addChildTableRecord(findChildFormKey(), "fChildName",
"Add", childTableMap);
}
System.out.println(policyData.length);
AccessPolicyResourceData formData = new AccessPolicyResourceData(findObjectKey(),
objName, findParentFormKey(), fParentName, "P");
formData.setFormData(parentFormData);
policyData[groupLength] = formData;
moAccesspolicyutility.createAccessPolicy(attr, provObjKeys,
revokeObgIsNotApply, denyObjKeys, groupKeys, policyData);
System.out.println(policyName + " Policy Created ");
} catch (Exception e) {
e.printStackTrace();
}
}
public String findChildFormKey() {
String ChildformKey = null;
try {
final String METHOD_NAME = "findChildFormKey :: ";
tcFormDefinitionOperationsIntf objIntf = oimClient
.getService(tcFormDefinitionOperationsIntf.class);
HashMap attributes = new HashMap();
attributes.put("Structure Utility.Table Name", fChildName);
tcResultSet resultSet = objIntf.findForms(attributes);
for (int i = 0; i < resultSet.getRowCount(); i++) {
ChildformKey = resultSet
.getStringValue("Structure Utility.Key");
}
} catch (Exception e) {
e.printStackTrace();
}
return ChildformKey;
}
public Long findParentFormKey() {
String ParentformKey = null;
try {
final String METHOD_NAME = "findParentFormKey :: ";
tcFormDefinitionOperationsIntf objIntf = oimClient
.getService(tcFormDefinitionOperationsIntf.class);
HashMap attributes = new HashMap();
attributes.put("Structure Utility.Table Name", fParentName);
tcResultSet resultSet = objIntf.findForms(attributes);
for (int i = 0; i < resultSet.getRowCount(); i++) {
ParentformKey = resultSet
.getStringValue("Structure Utility.Key");
}
} catch (Exception e) {
e.printStackTrace();
}
return Long.parseLong(ParentformKey);
}
public String findITResourceKey() {
String ITResourceKey = null;
try {
final String METHOD_NAME = "findITResourceKey :: ";
tcITResourceInstanceOperationsIntf objIntf = oimClient
.getService(tcITResourceInstanceOperationsIntf.class);
HashMap attributes = new HashMap();
attributes = objIntf.getITResourceInstances(ITResourceName);
Set s = attributes.keySet();
Iterator it = s.iterator();
while (it.hasNext()) {
ITResourceKey = it.next().toString();
}
} catch (Exception e) {
e.printStackTrace();
}
return ITResourceKey;
}
public String getRoleKey(String roleName) {
RoleManager rmgr = oimClient.getService(RoleManager.class);
Set retAttrs = new HashSet();
String roleKey = null;
try {
retAttrs.add(RoleAttributeName.DISPLAY_NAME.getId());
SearchCriteria criteria = null;
criteria = new SearchCriteria(RoleAttributeName.NAME.getId(),
roleName, SearchCriteria.Operator.EQUAL);
List roles = rmgr.search(criteria, retAttrs, null);
roleKey = roles.get(0).getEntityId();
} catch (Exception e) {
}
return roleKey;
}
public Long findObjectKey() {
String objectKey = null;
try {
HashMap attributes = new HashMap();
attributes.put("Objects.Name", objName);
tcObjectOperationsIntf objIntf = oimClient
.getService(tcObjectOperationsIntf.class);
tcResultSet resultSet = objIntf.findObjects(attributes);
for (int i = 0; i < resultSet.getRowCount(); i++) {
objectKey = resultSet.getStringValue("Objects.Key");
}
} catch (Exception e) {
e.printStackTrace();
}
return Long.parseLong(objectKey);
}
public static void main(String args[]) {
createAccessPolicy obj = new createAccessPolicy();
try {
String Line = null;
String File = "<>";
//File Format is #AccessPolicyName,Groups to be added in child form
BufferedReader buff = new BufferedReader(new FileReader(File));
buff.readLine();
while ((Line = buff.readLine()) != null) {
String split[] = Line.split(",");
String policyName = split[0].trim();
String groupList[] = split[1].split(";");
obj.PolicyCreation(policyName, groupList);
}
}catch(Exception e) {
e.printStackTrace();
}
}
}
References:
http://docs.oracle.com/cd/E17904_01/apirefs.1111/e17334/Thor/API/Operations/tcAccessPolicyOperationsIntf.html
http://docs.oracle.com/cd/E27559_01/apirefs.1112/e28159/com/thortech/xl/vo/AccessPolicyResourceData.html
http://docs.oracle.com/cd/E27559_01/apirefs.1112/e28159/com/thortech/xl/vo/PolicyChildTableRecord.html
