HAPPY NEW YEAR 2017

Identity And Access Management - Rajiv Dewan

Encountered New Bug in OIM

Today I was trying something and encountered a New Bug in OIM where an End User can do more than his access which are defined in OIM. Few days back I found one similar issue ( Biggest Bug ). It was quite interesting. I was not expecting few things but ....
  

If I logged-in as End User then I can't do few operations in OIM as  UI Option is disabled for me for those operations and these things are handled through Authorization Policies but when I tried to do those things programmatically then it is allowing me to do same.
 

First Question which came to my mind "Are Authorization Policies only handling UI things ?"


Ofcourse not, as sometimes if I don't give access through Authorization Policies then I can't do those operations programatically as well


Then where is the gap ?
It seems that still we have to use OLD APIs for so many operations in OIM 11g which are not evaluating Authorization Policies properly (at-least not for my one :-) )

I can't share the API details for security reasons :-)

Why I called it Interesting ?

We can't live without OLD APIs as if we do so then Upgrade for 10g to 11g won't work at all. It is necessary to provide support for 10 APIs in 11g for Upgrade.

What would be its solution then ? Will they add extra layer of Authorization in all 10g APIs (Will take time)?


I hope we will get solutions for these security issues in next release/patch