OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 1 | P a g e

OIG 11G R2 Field Enablement Training

Lab 7 - Advanced Security Configurations

Disclaimer: The Virtual Machine Image and other software are provided for use

only during the workshop. Please note that you are responsible for deleting them

from your computers before you leave. If you would like to try out any of the Oracle

products, you may download them from the Oracle Technology Network

(http://www.oracle.com/technology/index.html) or the Oracle E-Delivery WebSite

(http://edelivery.oracle.com)

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 2 | P a g e

Table of Contents

OIG 11G R2 Field Enablement Training ................................................................................................... 1

Advanced Security Configurations ............................................................................................................ 1

1. Introduction .......................................................................................................................................... 3

2. Implementing Advanced Delegation ................................................................................................ 3

2.1 Assigning users to Helpdesk Admin Roles ................................................................................. 3

2.2 Applying the security policy ...................................................................................................... 6

2.3 Creating a New Deny Policy ...................................................................................................... 9

3. Validating delegation and policies .................................................................................................. 16

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 3 | P a g e

1. Introduction

Information Systems have been receiving a lot of helpdesk calls (like password resets) and decides to

hand it over to Support Org. As per Information System policy, Helpdesk should not be able to see

the "contact information" of end-users.

Telephone Number , Home Phone, Fax, Mobile, Pager, Home Postal Address, Postal Address, PO Box,

Street, State, Postal Code, Country

In addition to that, Dell org has also enforced a policy that helpdesk users should not be able to

Enable or disable users (by default Helpdesk can Enable/Disable/Unlock and Reset Password) in their

org. Only User Administrators are allowed to do this operation.

2. Implementing Advanced Delegation

2.1 Assigning users to Helpdesk Admin Roles

Information Systems have been receiving a lot of helpdesk calls (like password resets) and decides to

hand it over to Support Org. let us see how this can be achieved.

1. Hit the OIG Identity Console.

2. Login as Admin.

3. Navigate to Administration Organizations.

4. Search for the organization Dell.

5. Click on Organization Name in the search result to open it.

6. Navigate to Admin Roles sub tab.

7. In the upper frame scroll to find HelpDesk Admin role.

8. Click on it to select it.

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 4 | P a g e

9. Click on the Assign button in the upper frame; to assign users as Help Desk

administrators for this organization. A popup opens.

10. Search for a user whose Display Name is Ana Adam.

11. Click on the result to select.

12. Click on Add Selected. Ana Adam moves to Selected Users frame.

13. In the same window, search for a user whose Display Name is Peter Huffman.

14. Click on the result to select.

15. Click on Add Selected. Ana Adam moves to Selected Users frame.

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 5 | P a g e

16. Click on Add.

17. Close the Organization:Dell tab.

18. Now search for the organization Apple.

19. Click on Organization Name in the search result to open it.

20. Navigate to Admin Roles sub tab.

21. In the upper frame scroll to find HelpDesk Admin role.

22. Click on it to select it.

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 6 | P a g e

23. Click on the Assign button in the upper frame; to assign users as Help Desk

administrators for this organization. A popup opens.

24. Search for a user whose Display Name is Ana Adam.

25. Click on the result to select.

26. Click on Add Selected. Ana Adam moves to Selected Users frame.

27. In the same window, search for a user whose Display Name is Peter Huffman.

28. Click on the result to select.

29. Click on Add Selected. Ana Adam moves to Selected Users frame.

30. Click on Add.

31. Logout of the Identity console.

32. Close the browser.

2.2 Applying the security policy

As per Information System policy, Helpdesk should not be able to see or modify the Contact

information of end-users. In addition to that Dell organization has also enforced a policy that

helpdesk users should not be able to Enable or disable users (by default Helpdesk can

Enable/Disable/Unlock and Reset Password) in their org. Only User Administrators are allowed to do

this operation.

Note: For this exercise the Admin Server should be up.

1. Hit the APM console in the browser.

OES – APM: http://identity.oracleads.com:7001/apm

2. Login as weblogic.

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 7 | P a g e

3. Navigate to Applications OIM OIMDomain.

4. Open Authorization Policies by double clicking on the same.

5. Click on Search button to search the existing policies.

6. In the results window, click on View Columns Display Name. This is done to add the

new column to the view.

7. Now Search for the HelpDesk policy by entering Help Desk Admin Policy for User search in

the Display Name field

8. Click on Open button at the Search Results window.

9. Click on Obligations tab.

10. Click on OrclOIMDeniedAttributesDirect attribute and click Edit button.

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 8 | P a g e

11. Specify the attributes (Attribute label) to deny. Enter the following list as given below.

12. Click Update.

13. Click on Apply in the Policy window.

14. Close the Policy tab.

Telephone Number,Home Phone,Fax,Mobile,Pager,Home Postal Address,Postal Address,PO

Box,Street,State,Postal Code,Country

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 9 | P a g e

Note: The Obligation returns additional information along with Permit or Deny decision as

part of OES policy. This Obligation (in this example attributes) are then used by OIM to

hide specified attributes in obligation.

2.3 Creating a New Deny Policy

To enforce those Helpdesk users of Dell org cannot Enable or disable users let us create a new

policy.

1. In the previous Search Results window, click on New.

2. Provide the Name as DellHelpDeskStatusPolicy.

3. Provide the Display Name as Dell Help Desk Status Policy.

4. Provide the description as follows.

Helpdesk users of Dell org cannot Enable or disable users

5. Change the Effect to Deny by clicking on the Radio button.

6. Click on the + button next to Principals section

7. Search for an Application Role whose Display Name is OIM User Password Admin.

8. Select the result.

9. Click Add Selected.

10. Click on Add Principals.

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 10 | P a g e

11. Click the + button next to Targets section to add targets.

12. Navigate to the Resources tab.

13. Click on Resource Expression link.

14. Select Resource Type as OIM User.

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 11 | P a g e

15. In the Expression field, specify the below value.

16. Click Add to Targets.

17. Click on Add Targets.

18. Expand the OIM User target to display all the available OIM User permissions.

19. Check the following.

a. disableUserStatus

b. enableUserStatus

.*

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 12 | P a g e

20. Click Save at the top.

21. To specify that this policy is applicable only for Dell Organization, click on Condition tab.

22. Click Edit.

23. In the Rule editor, specify the following conditions.

24. In the Select Operand Value frame, navigate to the Functions tab.

25. Sort by Name field.

26. Find STRING_AT_LEAST_ONE_MEMBER_OF.

27. Click on Add. This function accepts a pair of strings evaluating a Boolean condition.

28. Navigate to the Attributes tab in the Select Operand Value frame.

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 13 | P a g e

29. Choose OrclOIMUserOrganizations and click on Add.

30. Now the condition should be looking like this. Let’s add the constraints to it.

31. Notice that the first String condition is selected.

32. In the Select Operand Value area for the string value, enter the following.

65

33. Click on Add.

34. Automatically the second string is selected.

35. Enter the following value.

1000000

36. Click on Add.

37. For the Boolean value select True.

38. Click on Add.

39. Now the expression should look like this.

40. Click on the down arrow button next to the condition we just built.

41. Click on AND condition.

Note: In the above expression, the value 65 is the organization key of Dell Organization and

the value '1000000' is an arbitrary value as the function expects a range to be specified. The

value 65 can be obtained by running the following query against OIM database

(DEV_OIM/Oracle123) - select act_key from act where act_name=’Dell’.

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 14 | P a g e

42. Navigate to the Functions tab.

43. Select the ATTRIBUTE_HAS_VALUE function.

44. Click on Add.

45. For the String Literal enter the below value.

OrclOIMTargetEntity

46. Click on Add.

47. Select True for the Boolean value.

48. Click on the down arrow button next to the condition we just built.

49. Click on AND condition.

50. Navigate to the Functions tab.

51. Select the ATTRIBUTE_HAS_VALUE function.

52. Click on Add.

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 15 | P a g e

53. For the String Literal enter the below value.

OrclOIMUserOrganizations

54. Click on Add.

55. Select True for the Boolean value.

The Final Condition should look like this below

56. Click on Done.

57. Click on Apply to save the policy.

58. Signout of APM console.

59. Close the browser.

Note: You need to wait for a few minutes for the policy to get enforced.

OIG 11G R2 Training

Oracle Proprietary - Restricted to Personal Use in an Oracle partner training class 16 | P a g e

3. Validating delegation and policies

1. Hit the Identity Self Service console in your browser.

2. Login as AADAM, Ana Adam.

3. Navigate to Administration Users.

4. In the Organization field, of the search window, provide Dell as the value.

5. Hit Search.

6. Select a row in the results; let’s say CMARNELL.

7. Except for Reset Password, every other option is gone.

8. Click on User Login, CMARNELL to open the user data.

9. Ana Adam does not see the Contact information of the user.

10. Ana Adam also notices that she does not have the capability to Disable or Enable users who

belong to Dell Organization.

11. Similarly Peter Huffmann logs into self service console and searches for Apple users.

12. Peter Huffmann also does not see the Contact Information of the user.

13. Peter Huffmann can however Disable or Enable Users under Apple Organization.