It's all about IAM

Oracle Identity Manager: Security Issue

Today I found another issue with Identity Status (User Status) in Oracle Identity Manager, here are the sequence of activities which I performed:

  1. "User A" is logged in into OIM and doing some operations from his/her laptop. 
  2. At the same time, System Administrator logged in into OIM and disable the user or user gets disabled as part of Trusted User Reconciliation.
  3. Identity Status changed to Disabled on UI as well in User Repository(Database) successfully.
  4. Still user was able to perform various operations in OIM like request submission for self, others etc. If that user has administrative privileges then he/she can do anything.
In short, if someone has active session of OIM, he/she can do anything until that session terminates. 

OIM doesn't allow to create new session if Identity Status is Disabled but it must terminate the existing active sessions as well.

No comments:

Post a Comment