HAPPY NEW YEAR 2017

Identity And Access Management - Rajiv Dewan

Get All The FIelds and LABELS of CHILD FORM

Requirement:
Get All the fields and labels of Child Form

Solution:

Please use the below code snippet:

public  void printChildFormColumn(long processInstanceKey) throws Exception{

  tcFormInstanceOperationsIntf formInstanceOperationsIntf = oimClient.getService(Thor.API.Operations.tcFormInstanceOperationsIntf.class);
 tcFormDefinitionOperationsIntf formDefinitionIntf = oimClient.getService(Thor.API.Operations.tcFormDefinitionOperationsIntf.class);
 long processFormDefinitionKey = formInstanceOperationsIntf.getProcessFormDefinitionKey(processInstanceKey);
 int processParentFormVersion = formInstanceOperationsIntf.getActiveVersion(processFormDefinitionKey);
tcResultSet resultGetChildFormDefinition = formInstanceOperationsIntf.getChildFormDefinition(processFormDefinitionKey, processParentFormVersion);
 int countResultGetChildFormDefinition = resultGetChildFormDefinition.getRowCount();
 for(int j = 0; j < resultGetChildFormDefinition.getRowCount(); j++){
 resultGetChildFormDefinition.goToRow(j);
 long childFormKey = resultGetChildFormDefinition.getLongValue("Structure Utility.Child Tables.Child Key");
 int version = resultGetChildFormDefinition.getIntValue("Structure Utility.Child Tables.Child Version");
 System.out.println("childFormKey :: " + childFormKey + " version :: " + version);
tcResultSet formFields = formDefinitionIntf.getFormFields(childFormKey, version);
 for(int k = 0; k < formFields.getRowCount(); k++){
 formFields.goToRow(k);
String column = formFields.getStringValue("Structure Utility.Additional Columns.Name");
 String label = formFields.getStringValue("Structure Utility.Additional Columns.Field Label");
 System.out.println("COLUMN :: " + column + "  LABEL :: " + label);
 }}}

Change A Field from Text to Loookup Field

Requirement:

Need to change type of Field from Text to Lookup Type
Lookup Field should be associated with lookup quey

Reference:


Solution

Export the User.xml using weblogicExportMetadata Utility and search for this newly created field.

You'll see the section as follow:
































































REPLACE WITH:

















































































Save the file and import into MDS again using weblogicImportMetadata utility

Run the PurgeCache or Restart your OIM Server
















Java Code to Print ResultSet

Requirement:
Print all the column name and their values in the ResultSet

Solution:
Use the below code snippet for same:

public static void printResultSet(tcResultSet result) throws tcAPIException, tcColumnNotFoundException{
for(int i = 0; i < result.getRowCount(); i++){
result.goToRow(i);
String column[] = result.getColumnNames();
for(int j = 0; j < column.length; j++){
String colName = column[j];
String value = result.getStringValue(colName);
System.out.println(colName + " --- " + value);
}}}
       

Create OIM COnnection from OUTSIDE OIM 10g and OIM 11g using OLD APIsRequirement:

Requirement:

Need to call OIM APIs from OUTSIDE 

Assumption:

Demo code shows the configuration for weblogic
You need to change the RED Color lines as per your environment
Copy the WORKING copy for Design Console directory
You should have proper permissions on the copied directory

Solution:

Copy working copy of Design Console Directory to local from where you want to call OIM APIs say Designconsole

Use the below code:

System.out.println("Startup...");
System.out.println("Getting configuration...");
ConfigurationClient.ComplexSetting config =ConfigurationClient.getComplexSettingByPath("Discovery.CoreServer");
System.out.println("Login...");
Hashtable env = config.getAllSettings();
System.out.println(env.toString());
 System.setProperty("XL.HomeDir","D:\\designconsole");
 System.out.println(System.getProperty("XL.HomeDir"));
 System.setProperty("java.security.policy","D:\\designconsole\\config\\xl.policy");
 System.setProperty("java.security.auth.login.config","D:\\designconsole\\config\\authwl.conf");
 tcUtilityFactory ioUtilityFactory = new tcUtilityFactory(env,"xelsysadm","RDEWAN1234");
tcUserOperationsIntf userIntf = (tcUserOperationsIntf) ioUtilityFactory.getUtility("Thor.API.Operations.tcUserOperationsIntf");
System.out.println("userIntf :: " + userIntf);

Stop Schedule Task using APIs in OIM 10g

Requirement:

Stop the Schedule Task using OIM APIs

Solution:

Here is the sample code:

tcSchedulerOperationsIntf scheduleIntf = (tcSchedulerOperationsIntf) ioUtilityFactory.getUtility("Thor.API.Operations.tcSchedulerOperationsIntf");
HashMap scheduleMap = new HashMap();
scheduleMap.put("Task Scheduler.Name", "XYZ");
tcResultSet scheduleResultSet = scheduleIntf.findScheduleTasks(scheduleMap);
long scjeduleTaskKey = scheduleResultSet.getLongValue("Task Scheduler.Key");
HashMap updateMap = new HashMap();
updateMap.put("TSK_STOP", "1");
scheduleIntf.updateScheduleTask(scjeduleTaskKey, updateMap);
System.out.println("Schedule Task is STOPPED successfully");
 
Assumption:

You have implemented Stop() method and Stop Flag in the Schedule Task.          

How to get LoggedIn User ID on Process Form

Requirement:
We need to see that who has modified particular field on Process Form or we want LoggedIn "User Login" on Process Form for some purpose


Solution:
Here are the steps to accomplish the same:

Note: I am demostrating the solution using Process Task Adapter. You can use other options as well as per requirement

  • Create Java Code

public String printLoggedInUser(tcDataProvider dataProvider){
        System.out.println("INSDIE printLoggedInUser ");
        String loggedInUserID = "";
        try {
            loggedInUserID = dataProvider.getUserLogin();
            System.out.println("loggedInUserID :: " + loggedInUserID);
        } catch (tcDataAccessException e) {
            e.printStackTrace();
        } catch (tcClientDataAccessException e) {
            e.printStackTrace();
        }
        return loggedInUserID;
    }

  • Make JAR file and paste in /xellerate/JavaTasks directory
  • Create Process Task Adapter and map variables as below
                          Input - Adapter Reference - Database Reference 
                          Output - Return Variable
































  • Build the Adapter
  • Attach your Adapter with a Task in the Process Definition. 
  • Call this task on Successful Updation of Attribute Task
  • Map the Adapter Return Value with 
  • Process Data -- Form Field say UD_TEST_LOGGEDIN 
  • Save and Test

Metadata for OIM User Profile for 11g

Requirement:
How to fetch User Attributes from RESULTSET using OLD APIs.

Solution:
Below is the Metadata or Column Name which can be used to fetch user attributes using OIM 10g APIs:

FA Territory

Users.Password Warning Date
Employee Number
usr_locale
Users.Middle Name
Manually Locked
Users.Disable User
Users.Update Date
Date Format
Users.Display Name
Mobile
USR_TIMEZONE
Users.Ldap Organization
Users.Lock User
Currency
Users.End Date
Pager
Users.Deprovisioned Date
Time Format
USR_CREATED
Users.Deprovisioning Date
PO Box
USR_UDF_OTHER
Color Contrast
Users.Creation Date
Users.Ldap Guid
Accessibility Mode
Users.Country
Users.Xellerate Type
Users.Change Password At Next Logon
Users.Password Expiration Date
Users.Password Cannot Change
Users.Email
Users.Provisioned Date
Users.System Level
Common Name
Automatically Delete On
Locked On
Users.Start Date
Users.Last Name
Users.First Name
Locality Name
Users.Manager Key
Users.Manager Login
Users.Manager First Name
Users.Manager Last Name
Number Format
USR_POLICY_UPDATE
Street
Embedded Help
Users.Password Expired
Department Number
Hire Date
Users.Password Warned
Telephone Number
Home Postal Address
Font Size
Users.Updated By
Description
Home Phone
Users.Ldap Organization Unit
usr_pwd_min_age_date
Fax
Postal Code
Organizations.Key
Organizations.Organization Name
Users.Key
Users.User ID
Title
USR_UDF_OBGUID
Users.Status
Generation Qualifier
State
Postal Address
Initials
Users.Password Never Expires
Users.Password Must Change
LDAP DN
Users.Role
FA Language
Password Generated
Users.Provisioning Date
MEMBERTYPE

Sample Code: Find UDF/Other Attributes using OIM 11g API

Requirement:
Find UDF value using OIM 11g API

Solution
Here is the sample code:

Create a UDF say USR_UDF_OTHER Other Attribute

SearchCriteria criteria = new SearchCriteria("User Login", "RDEWAN", SearchCriteria.Operator.EQUAL);
UserManager usrService = oimClient.getService(UserManager.class);
Set retAttrs = new HashSet();
retAttrs.add("Other Attribute");
List <User> users = usrService.search(criteria, retAttrs, null);
String otherAttribute = (String) users.get(0).getAttribute("Other Attribute");
System.out.println("Value for otherAttribute :: " + otherAttribute);



Other Way


User user = usrService.getDetails("User Login", "RDEWAN", null);
HashMap mapAttrs = user.getAttributes();

String otherAttribute= (String) mapAttrs.get("Other Attribute");


Sample Code: To Search Organization with Organization Key

Requirement:

Search Organization using OIM 11g API

Solution:

Here is the sample code for the same:

Long orgKey = 1L;
OrganizationManager orgService = oimClient.getService(OrganizationManager.class);
Set orgCritAttrs = new HashSet();
SearchCriteria.Operator.EQUAL);
SearchCriteria orcriteria = new SearchCriteria("act_key", orgKey, SearchCriteria.Operator.EQUAL);
orgCritAttrs .add(OrganizationManagerConstants.AttributeName.ORG_NAME.getId());
List orgs = orgService.search(orcriteria, orgCritAttrs, null);
System.out.println("Organization Result Set Size:: " + orgs.size());
String organizationName = (String) orgs.get(0).getAttribute("Organization Name");
System.out.println("Organization Name :: " + organizationName);

Sample Code: Get User Organization using OIM 11g API

Requirement:

Need to find user Organization using OIM 11g API:

Solution:

Here is the sample code for the same. It will give you Organization Key of that user. You can fetch the Organization Name with that:

SearchCriteria criteria = new SearchCriteria("User Login", "XELSYSADM", SearchCriteria.Operator.EQUAL);UserManager usrService = oimClient.getService(UserManager.class);
Set retAttrs = new HashSet();
retAttrs.add(UserManagerConstants.AttributeName.USER_ORGANIZATION.getId());
List users = usrService.search(criteria, retAttrs, null);
System.out.println("Organization Key -- " + users.get(0).getAttribute("act_key"));


Play-around with User Form Fields

Requirement: 
How to change an encrypted field to plain text field

Solution:

Create a UDF in OIM 11g through Advance Console > User Configuration
















Select Display Type as Secret and Encryption will come automatically as "Encrypted"















Click Save Next and Verify the details and click Save
















While creating user, you won't be able to the value which you entering in this field














Export the User.xml using weblogicExportMetadata Utility and search for this newly created field. You'll see "display-type" as SECRET and encryption as ENCRYPT






































Change value for following attributes:

  1. display-type : "SECRET" to "TEXT"
  2. encryption  :  "ENCRYPTION" to "CLEAR"






































Save the file and import into MDS again using weblogicImportMetadata utility

Run the PurgeCache or Restart your OIM Server

Create a user and you'll see data as plain text




You can also play-around with other fields

BIGGEST BUG IN Oracle Identity Manager

BIGGEST BUG IN Oracle Identity Manager

I was doing R n D and found the biggest bug in OIM 11g. I am able to reproduce the same in OIM 10g as well.

Description:

A user who is part of All User group, can export all the configuration from OIM and can perform other operations as well.

NOTE: I am not posting other internal things.


Steps to Reproduce:

Create a user:




Check the Roles:



Login with EUSER and verify User doesn't have access to Advance Console























Content are hidden for Security Purpose
 


















































Difference between Weblogic Development and Production Mode

Here are some difference between Weblogic Development Mode and Production Mode








Oracle Identity Manager Interview Questions

  • What are the steps to integrate Active Directory with Oracle Identity Manager ?
  • How will I configure Scheduler only on single node in a clustered environment which is having more than one node (OIM 10g and OIM 11g) ?
  • What are the possible ways to integrate Approval Workflow with a Resource Object in Oracle Identity Manager 11g ?
  • How Escalation and Remiders Notification work in Oracle Identity Manager 11g ?
  • How will you add additional fields on Self Register Form (OIM 10g and OIM 11g) ?
  • How Approval Policies are different from Access Polcies ?
  • How do we create complex rules for Approval Policies ?
  • What is the significance of "Create Reconciliation Profile" button in Oracle Identity Manager 11g ?
  • What are Object Reconciliation Rule ?
  • Explain the Architecture of OIM ?
  • How will be remove Validation for duplicate email address ?

Oracle Identity Manager 11g Interview Questions

  1. What is Identity Management ?
  2. What all are the issues you faced in OIM 11g which were not there in OIM 10g ?
  3. What are difference between OIM 11g and OIM 10g ?
  4. What is Request Template ?
  5. Why we need Request Template in OIM ?
  6. Can we use OES /Authorization Policies to work at attribute level ?
  7. What is Notification Template and how it works in OIM ?
  8. Can we extend Request Models in OIM 11g ?
  9. How Request Datasets are related to Object Form ?
  10. What are the advantages of Request Dataset over Object Form ?
  11. What is the function of SOA in OIM 11g ?
  12. What are the steps and challeneges to export/import UDF in OIM 11g ?
  13. What are the benefits of OIM 11g over OIM 10g ?
  14. In OIM 11g we have UploadJar Utillity, what are the benefits of that ?
  15. Can we attach an image on Request Dataset ?
  16. What are the operations supportes in Event Handlers in OIM 11g ?
  17. Which class do you implement to create an Event Handler ?
  18. Which class do you implement to create a Schedule Task ?
  19. What is Authorization Policy in OIM 11g ? 
  20. Tell me atleast 5 good things about OIM which are not present in other IDM Products ?
  21. Difference between Approval Policy and Access Policy?
  22. Can we create Approval Rule using Java ?
  23. Can we create Approval Rule in Approval Policy using User Defined Attributes of User ?
  24. Steps to deploy Scheduler, EventHandlers and Approval Workflow ?
  25. What is the best practice to migrate code from one env to another env ?

Oracle Identity Manager 11.1.1.5.0 Installation Guide - Windows Platform


Please find the Oracle Identity Manager 11.1.1.5.0 Installation Guide on Windows Platform







Note:
I accept no liability for the content of this document, or for the consequences of any actions taken on the basis of the information provided. Use this document for learning purpose.

GTC and USER ID Generation Issue

I have seen one intresting issue so thought to share with you all:

Requirement:
DB/Flat File GTC is Trusted Reconciliation and we have to generate a unique User ID in OIM.



Assumption:
OIM Version: Oracle Identity Manager 10g


General Design:

  1. As User ID is required field in OIM then we pass a Lietral Value say 'DUMMYID' in User ID field through GTC
  2. We attach an Event Handler/Entity Adapter to generate Unique User ID and attach it on User Form
  3. And this Event Handler will update the User ID field of OIM with generated Unique User ID
  4. We make Reconciliation Rule on some other unique field of Trusted Source say "Employee Number"
Issue with the Design:

Reconciliation will work fine for the first time but when we run for the second time then it would be having 'DUMMYID' in User ID field and it will update the OIM User ID with 'DUMMYID' again.

And if we run reconciliation for more than one user then it will try to update same User ID i.e. 'DUMMYID' for all the users and will throw exception "Can not insert duplicate User Id"

Solution:

  1. Don't pass 'DUMMYID' from GTC
  2. Make User ID as Non Mandatory in OIM




Add Role to Request Template Using OIM 11g APIs

RequestTemplateService requestTemplateService = RequestTemplateService requestTemplateService = oimClient.getService(RequestTemplateService.class);
List roleList = new ArrayList() ;
roleList .add("241"); // 241 is the Group Key
Long requestTemplateKey = 67L; // 67 is the Request Template Key
requestTemplateService.grantTemplateToRoles(requestTemplateKey , roleList );


Get tcDataProvider Instance

Steps to create DataProvider Instance:


XLClientSecurityAssociation.setClientHandle(oimClient);

tcDataProvider dataProvider = new tcDataBaseClient()
 
 
tcDataProvider  dataProvider = XLDatabase.getInstance().getDataBase(); 
 
 
 
Connection connection = Platform.getOperationalDS().getConnection(); 

Modify Size of OOTB Fields on Create User Form

Limitaion:

In OIM 10g we used to change the size of OOTB fields from Formmetadata.xml but in OIM 11g we don't have any such file.

Procedure:

  • Export /file/User.xml from MDS
  • Search for the field which you want to modify say "Middle Name"
  • Search for max-size








  • Default size is 80, you can change it as per your requirement
  • Import the file back into MDS using weblogicImportMetadata.bat/sh
  • Run PurgeCache.bat/sh

Modify Authorization Policies in OIM 11g

Limitation:

In OIM 11g, we can increase the access for a user which is provided by Authorization Policy but we can't decrease the access.

OOTB Authorization Policies can't be modified and we don't have any documents for the same as well. Here are the steps to modify OOTB Authorization Policies.

Example: User should not be allowed to modify their profile attributes

Procedure:

  • Go to OIM_HOME\server\seed_data\Seed\OESPolicies
  • Open SelfServiceUserManagementPolicies.xml" in edit mode
  • Comment out the following portion i.e. fields which don't want users to modify:














  • Download files from "Click Here To Download"
  • Open "rajivdewan.properties" in edit mode and do changes as per you environment
  • Copy "rajivdewan.bat" and "rajivdewan.properties" under /server/bin
  • Copy "rajivdewan.xml" in /server/setup/deploy-files
  • Go to server OIM_HOME/bin in command prompt
  • Run "rajivdewan.bat" and provide OIM Database Password as Argument
  • Run "rajivdewan.bat" "OIM_DB_PASSWORD"It will take some time to process and you'll see following screen:






  • Go to OIM_HOME\server\setup and check logs under "rajivdewan.log" file
  • You can also check logs under "OIM_HOME\server\seed_data\Seed\OESPolicies\SeedPolicies.log"

Note:

  • Don't trust the command prompt output
  • Verify the log file for confirmation
Creation of Authorization Policy

  • Login into OIM Administration Console with "xelsysadm"
  • Create an Authorization Policy for "Self Service User Management" and under Modify User Profile, select your required attributes and click
  • Login with a user and validate