GR 11, 1 IOM material: nested roles and access policies

Hello

We have an access policy that fires to assign users to Active Directory. Access policy has the following composition:

Rule: The user Type is EMP AND Orgname == Company

Role: Roles of the employees of the company is granted automatically to all users which are evaluated to TRUE for the rule. It works very well.

Access policy: resource access policy: Active Directory, membership rule: "employees of the company.

The strategy above works fine. It fires when an employee is hired, and it fires again when an employee leaves. The grant and revoke the resource as expected. Now, we also give the resource for all roles of children "employees of the company. I have create a role called 'cooperative society student', and I attribute it's parents to be "collaborators."


User1: Role: employee of company
User2: Role: student cooperative society

If I look at role: an employee of the company, click the Members tab, I see two members: User1, direct. User2, indirect.

However, the access policy is not shooting to add User2 to Active Directory. They are a member of the role indirectly, but do not receive the resources assigned to the role.

Should it? I can do to ensure that members of the role junior/child benefit resources via the access on the role of parent policy?

Thank you.

It is the expected behavior. You can update the access policy and add your child group in the list of roles that are allowed to access this policy.

Kind regards
GP

Tags: Fusion Middleware

Similar Questions

  • OAM 10.1.4.3 at 11 GR 1 material Oracle Identity and Access Management

    Hello
    We would like to switch to Oracle Identity and Access Management 11 GR 1 material with a new installation, but just a few questions:

    -Docs say you need to install the following SOA, if you want to use Identity Manager in 11 GR 1 material. We use such things as management password lost, which I know we have configured parties through the piece of Identity Manager. So I guess that we need this?

    -Do you need to use Weblogic 10.3.5 to Oracle Identity and Access Management 11 GR 1 11.1.1.5 material, or can you 10.3.6? I have that only he saw certified with 10.3.5.

    Thanks for the help!

    Yes, it takes Weblogic 10.3.5 to IOM 11.1.1.5.
    11.1.1.5 installation you need to install SOA even if it is not required by use

  • The sub-groups and access policies

    It seems that when I add a user to a subgroup, the access policies of the parent that user Group does not occur. However, the user is added to the parent company of the Group of users
    Can someone please verify this?

    Thank you

    Subgroups does not inherit the access policy of SuperGroup in IOM [ID 815373.1]

    Bug 5985475 :

    Define an event handler after insertion and attach it to Manager data access policies as an object so that when a group is assigned to an access policy, it checks and add its subgroups to the access policy (just the first level as it will recursively the same it keeps adding subgroups). Verify that you have the same event handler attached to the event after removal of the access policy, so that to delete the access of a group policy, all subgroups are also dismissed by the access policy

    Good luck!

  • ROLES and Access table

    Hello

    I use Oracle9i Enterprise Edition Release 9.2.0.6.0 - 64 bit Production.

    I have a D_GEOGRAPHY_25729 table in the RDS schema, and I created logging of ACC_D_TABLES role as an administrator.

    Now, I gave access GRANT SELECT from table D_GEOGRAPHY_25729 to the ACC_D_TABLES role.

    There is another TRANS diagram in the same database that has a ACC_D_TABLES role. But after logging in this scheme, I am not able to query directly from the D_GEOGRAPHY_25729 table. I need to use it as below to access the table.
    select * from RDS.D_GEOGRAPHY_25729
    Given the correct role why should ACC_D_TABLES to the TRANS diagram, I use RDS. D_GEOGRAPHY_25729? It is not possible without the addition of the prefix scheme RDS name?

    It is possible, when I create a public sysnonym for D_GEOGRAPHY_25729 in the RDS schema, but if I do that everyone can access this table. Can someone here help me to understand and resolve clearly?


    RAM

    >
    Given the correct role why should ACC_D_TABLES to the TRANS diagram, I use RDS. D_GEOGRAPHY_25729? It is not possible without the addition of the prefix scheme RDS name?

    It is possible, when I create a public sysnonym for D_GEOGRAPHY_25729 in the RDS schema, but if I do that everyone can access this table. Can someone here help me to understand and resolve clearly?
    >

    Granting of privileges govern who can access a table.
    Creation of synonyms governs how the object name is resolved (avoid prefixing them the owner).
    They are two separate and independent terms.

    A public synonym would mean that d_geography_25729 resolves to RDS. D_GEOGRAPHY_25729 for all the world, but unless you give them privileges on it, they still cannot access it.

  • User roles and access right to the portal

    the friends that I need your help include a senario application

    Another company has developed some apex application and there are some groups that is created in oracle portal name super_admin, admin, etc.

    The challenege that I face, is that my username has received by super_admin group so I'm able to see all the pages developed pursuant to the apex

    But when I try to connected in the application by other users, which is having only administrator privileges I can't see all of the pages and tabs which I am able to see using super_admin group.

    In the apex where I see users who are defined in groups to find out what privileges, they got.

    Currently I see the homepage of the Summit and on the right side of it manage explicit users of the application, but under the present, only admin users did not others.

    I will be really thankful to you people, if you could help me find the solution to this goal.


    Thank you
    ADI

    Hello Adi,

    You can the authorisation schemes re-branded to the individual components like tabs as well.
    So you could check if there is some.

    Merry Christmas, Tine.

  • Strange behavior after giving a role to access policy.

    Greetings.
    I use OIM 11.1.1.3 and I also use the DBUM 9.1.0.4 adapter.
    I defined 3 roles in IOM once I've defined three strategies of access to available roles to a database.
    Each policy is associated with a role and a DBUM resource.
    In the end, I have the following policies.
    Role of role based policy name IOM
    1. policy role - A role - A DBRoleA
    2. policy role - role B - B DBRoleB
    3. policy role - role C - B DBRoleC.

    When a role is granted to the user of the IOM by using the Administration Console is implemented as a correct database to the specified database. But if I revoke a role from the user and grant the same role yet the specified role are not configured on the specified database.
    Example: A user 'Role A', 'Rôle B', 'C Role' in the database of the user have DBRoleA, DBRoleB, DBRoleC.
    After revocation "A Role" of the user, the database have the roles of good DBRoleB and DBRoleC.
    But if "A" is again granted the user the DBRoleA is not provisioned in the database.

    I activated the dbum log file and it looks like a bad role has been chosen and the DBRoleB the role of database to be configured. Because we see in the log file when the user is granted the "A role":

    [WLS_OIM1] [TRACE] [[OIMCP.] DBUM] [tid: [ASSETS].] [[ExecuteThread: '2' for the queue: "(self-adjusting) weblogic.kernel.Default"] [username: oiminternal] [ecid: 0000JDjSF5i9h ^ 5prOt1iY1EgfQX0000lD, 0] [SRC_CLASS: com.thortech.util.logging.Logger] [APP: IOM #11.1.1.3.0] [decided: 4506c477d760fc7e:26c2d53a:1336a1dbc64: - 7ffd - 0000000000000 d 45] [SRC_METHOD: Debug] oracle.iam.connectors.dbum.integration.DBUMProvisionManager: getChildFormData: form Value2011-11-04[2011-11-04T11:37:14.392-05:00] [WLS_OIM1] [PATH] [[OIMCP]. DBUM] [tid: [ASSETS].] [ExecuteThread: '2' for the queue: "(self-adjusting) weblogic.kernel.Default"] [username: oiminternal] [ecid: 0000JDjSF5i9h ^ 5prOt1iY1EgfQX0000lD, 0] [SRC_CLASS: com.thortech.util.logging.Logger] [APP: IOM #11.1.1.3.0] [decided: 4506c477d760fc7e:26c2d53a:1336a1dbc64: - 7ffd - 0000000000000 d 45] [SRC_METHOD: Debug] oracle.iam.connectors.dbum.integration.DBUMProvisionManager: getChildFormData: mapping of data from child form received:-{UD_DB_ORA_R_VERSION = 0, UD_DB_ORA_R_KEY = 3180, UD_DB_ORA_R_UPDATE = 2011-11-04, UD_DB_ORA_R_CREATE = 2011-11-04 {, process Instance.Key = 5916, UD_DB_ORA_R_UPDATEBY = 6 UD_DB_ORA_R_ROLE = 102 ~ * DBRoleB *, Access Policies.Key = 183, UD_DB_ORA_R_CREATEBY = 6}


    The issue is that anyone has experienced the same problem?
    Is there another way of provisioning of database roles after granting roles of the IOM?

    Thank you!
    Ramiro Ortiz

    Re: Roles and access policies

    I created an access policy (with renovation = revoke, if not applicable = true) that is, if the user is a member of the role XYZ, it should be provided for an application automatically (RBAC). Sometimes it works fine, but sometimes even if the user is a member of the role of XYZ, the user is not configured

  • CUCM: Roles and permissions for Reset/restart of the phone or apply Config

    Can someone tell me what the authorization must be added to a role to allow a user to this role of restart/reset (or apply config - same thing really) a phone device?

    The popup once you press reset/retart or apply config shows just "user is not authorized to access this page."

    Thank you

    Ben.

    Hi Ben,

    What is your version CUCM? you use any custom for these end-users role which reset/restart?

    If so, please add privileges to read/set up-to-date for the resource ' Voice Mail pilot web pages "to the custom role and check.

    Please check this bug ID: CSCug29903

  • Cannot access to roles and features (Server Manager)

    Cannot access to roles and features (Server Manager).
    Server Terminal server runs on Windows 2008 R2.
    I have an error (0 x 80080005 (CO_E_SERVER_EXEC_FAILURE)).
    c:\Windows\System32\ServerManager\Cache directory is empty.
    EventLog error EVENT 1000 ID Watch:
    Name of the failing application: TrustedInstaller.exe, version: 6.1.7601.17514, time stamp: 0x4ce7989b
    Name of the failed module: msvcrt.dll, version: 7.0.7601.17744, time stamp: 0x4eeb033f
    Exception code: 0 x 40000015
    Offset: 0x000000000002a84e
    ID of the process failed: 0 x 2230
    Start time of application vulnerabilities: 0x01cd507bac023aca
    The failing application path: C:\Windows\servicing\TrustedInstaller.exe
    Path of the failing module: C:\Windows\system32\msvcrt.dll
    Report ID: e9bab27e-bc6e-11e1-a34e-000c29dc7c68
    -Program and features show installed updates. (The server is updated when you run a Windows Update)
    I've done so far:
    -Uninstall Symantec Endpoint Protection
    -Restart on the 2008 media to replace C:\Windows\winsxs\pending.xml
    -Ran that the System Update Readiness Tool for Windows 2008 R2 and no errors are reported on CheckSUR.log and CheckSUR.persist.log
    -A ran a free registry Cleanner
    What should we consider?
    Thank you

    Hello

    Your question is more complex than what is generally answered in the Microsoft Answers forums. It is better suited for the IT Pro TechNet public. Please ask your question in the following forum.

    Windows Server 2008 R2 General:

    http://social.technet.Microsoft.com/forums/en-us/winservergen/threads

    Concerning

  • What opening of database Service of Cloud Computing console receiveing "the user role cannot access the Cloud database Service" message and see no service. Why?

    What opening of database Service of Cloud Computing console receiveing "the user role cannot access the Cloud database Service" message and see no service. Why?

    Thank you in advance.

    Try now

  • Cannot run script queued for roles and privileges


    Hi all;


    I'm recreating a u1 user and also try to attempt to define the roles and privilege from the file put on hold.

    but I get the error message.


    $ cat f1.sql

    GRANT CONNECT to u1

    Grant RESOURCE to u1

    Grant CREATE SESSION to u1

    Grant UNLIMITED TABLESPACE to u1

    Grant CREATE TABLE to u1

    Grant CREATE ANY TABLE to u1

    Grant CREATE the CLUSTER to u1

    Grant CREATE SYNONYM to u1

    Grant CREATE VIEW to u1

    Grant CREATE SEQUENCE to u1

    Grant CREATE ANY SEQUENCE to u1

    Grant CREATE DATABASE LINK to u1

    Grant CREATE PROCEDURE for u1

    Grant CREATE TRIGGER to u1

    Grant CREATE TYPE U1

    GRANT CREATE OPERATOR to u1

    Grant CREATE INDEXTYPE U1

    SYS > create the u1 user identified by u1;

    Created by the user.

    SYS > @f1.sql;

    5

    DB version is 11.2.0.1 on redhat 4.7

    Thank you

    Where are you semicolons?  Each command must end with a semicolon.

    Hemant K Collette

  • roles and privileges

    I created a user and the roles to access the tables.

    SQL > create role trans_role;

    SQL > grant select, insert, delete, update on pmms.table1 to trans_role;

    SQL > grant select, insert, delete, update on pmms.table2 to trans_role;

    SQL > grant trans_role User1, User2.

    SQL > grant connect User1, User2.

    But there is error when user1, user2 connected and tried to select tables.

    SQL > select * from pmms.table1;
    Select * from pmms.table1
    *
    ERROR on line 1:
    ORA-00942: table or view does not exist


    SQL >

    Hello

    don123 wrote:

    ... I know that the password is case sensitive but I don't know if username is also case sensitive in oracle? ...

    Yes, the user names are case-sensitive in Oracle.  "User1" is not the same user name "user1".

    (Passwords are case-sensitive in Oracle 11.1 and upward, not in earlier versions.)

  • Is there a command that will take a nested sequence and break in it is separated from the pieces, as they were before, he become nested?

    Is there a command that will take a nested sequence and break in it is separated from the pieces, as they were before, he become nested? I think I've seen this once iin training but I don't remember and can't find it.

    I have roughly the same open close and music track for 4 shows and I hate having to create these same elements to see all four the separately.

    Thank you

    Steve

    You must click the icon before you glue the nest in a new sequence.

  • Portal of WC - need information about the Migration or DB tables for roles and users/groups.

    Hello

    We are to modernize the WebCenter portal for a client of 11.1.1.3.0 to 11.1.1.8.0.

    Anything can let me know the procedure of migration or the involved DB tables that store the roles and the "user groups &" under the administration of security.

    A manual level by recreating all roles and users and groups one by one is my last option.

    Thank you

    Jean Claude

    Hello.

    Do not recreate it manually.

    The documentation must guide for PS2 - PS7 migration explaining step by step what to do regarding the security / policies.

    Read it slowly and carefully.

    Using WLST backup/export/import of your policy store scripts / qualifications.

    Following links can help you understand the WLST Scripts for the migration of security:

    http://docs.Oracle.com/CD/E29542_01/core.1111/e10043/addlsecfea.htm#JISEC3639

    Custom security infrastructure controls WLST - 11g Release 1 (10.3.6)

    We have migrated many times of 11.1.1.4/5 to 11.1.1.8. Always on the PS3 (11.1.1.4) version.

    11.1.1.3 to 11.1.1.4 was the biggest change from my point of view. I never had the opportunity to PSx PS2.

    For migration tasks, my recommendation is to ask for doubts or things not clearly in Support of Oracle documentation.

    Kind regards.

  • Re: Script to retrieve vCenter roles and responsibilities

    Hello guys,.

    I need a script to do the following

    The script should generate the following details in a csv format: vCenter roles and responsibilities-> AD groups assigned to this role-> privileges assigned to this role.

    vCenter roles name
    (List of all roles)    		Details on using
    (Inscription on the groups or users
    added to the particular role)    		List each of the role privilege.
    For example: data center-> Global etc...

    Thank you

    VK

    Hello

    Always try to LucD scripts, it is one of the best scripter, check below one of his screenplay

    http://communities.VMware.com/message/1642302

    Thank you

  • vCOps of roles and responsibilities

    Hello guys,.

    I have a lot of questions revolve in my mind about vCOps of roles and responsibilities.

    Here's a scenario: I for two teams A and B, where I created two dashboards customized for them in the page of the user interface customized vCOps. The team should not have access to Team B dashboard and vice versa. How can we acheieve this?

    Is there an audit of the tools that can show who has what level of access in the vCenter or vCOps? No matter what shell Scipt power to track changes in the roles and responsibilities of the environment?

    I will be grateful if someone can help me with that?

    Thank you

    You can create new groups in Ops vC for each team (under Admin > Security) and then share dashboards with only the groups that need access.  The access rights for the Group would be limited to these capabilities of dashboard you want to that they, like the change of interactions, resize/move widgets, edit widgets, even creating new dashboards...

    In regard to audits, go to Admin > Audit report user where you can run a report of users, groups and permissions.

Maybe you are looking for