14 Replies Latest reply: May 4, 2012 1:33 AM by LeylaDah RSS

    AD Groups automatic provision

    LeylaDah
      Hello experts,

      every time an user is created, according to some parameters, OIM should assign to him/her some fixed groups.
      In the user form there is a field that could have until 30 different values, depending of this value OIM should provision an additional group.
      Now, I evaluated two different things:

      1) modify the access policy that I already use to provision the AD User object, but in this case I don't know how to calculate the additional group, because the design console doesn't allow me to do multiple test on the same field

      2) modify the process definition and add a "Add User to Group 2". I already started to work on this, I duplicated the "ADCS Add User To Group" adapter, as "ADCS Add User To Group2" and I also duplicated the component "Add User to group", but, in my case, the new "Add User To group" will have the "#Key~GROUPDN" format of the groups that I want to specify, but is not working, I get an error like

      [2012-03-01T08:24:56.744+01:00] [oim_server1] [NOTIFICATION] [IAM-0060016] [oracle.iam.platform.auth.impl] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 11d1def534ea1be0:4edd2f0d:135c99b02fd:-8000-00000000000014f2,0] [APP: oim#11.1.1.3.0] The IP address from which browser is triggered is 10.196.11.172
      [2012-03-01T08:24:57.052+01:00] [oim_server1] [ERROR] [] [XELLERATE.DATABASE] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid: 11d1def534ea1be0:4edd2f0d:135c99b02fd:-8000-00000000000014f2,0] [APP: oim#11.1.1.3.0] select UD_ADUSRC_KEY from UD_ADUSRC where UD_ADUSRC_KEY = [[
      java.sql.SQLSyntaxErrorException: ORA-00936: missing expression

      at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:457)
      at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:405)
      at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:889)
      at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:476)
      at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:204)


      that's more or less what they already try to do: provision AD Group

      Have you any idea about how to manage this?

      Thank you
        • 1. Re: AD Groups automatic provision
          Nishith Nayan
          assign multiple group in OIM (OIM groups) only or it will be provisioned to target system as well??

          Can you provide the high level requirements?

          --nayan                                                                                                                                                                                                                                                                                                                           
          • 2. Re: AD Groups automatic provision
            Gyanprakash Pandey
            One more work around you can try is to attach event handler on AD resource object, which will trigger once user is provisioned to AD and add groups to user after calculating correct group name.

            regards,
            GP
            • 3. Re: AD Groups automatic provision
              LeylaDah
              I reconciled the AD Group Lookup from AD, now i have into my AD group lookup the code and the decode of CN=admin... CN=member.. CN=internal.. CN=contractor.. etc.
              What I need is now to provision to the target system the groups, so any John Smith will have always (into AD)

              memberOf : CN=Admin...
              memberOf : CN=Member...

              If a predefined USR_UDF field will be equal to 001, 002, 003, 010 or 090 (more or less 30 different options) it will provision also the field memberOf="CN=internal" otherwise if the field will be 004, 005 009 or 900 (other 30 possile options) it will provision the additional memberOf CN=contractor.

              To make a long story short, the final result into AD would be
              memberOf : CN=Admin...
              memberOf : CN=Member...
              memberOf : CN=Internal...
              or
              memberOf : CN=Admin...
              memberOf : CN=Member...
              memberOf : CN=Contractor...


              I forgot to mention that for a matter of maintenance I create a java class that takes as input the predefined field and it calculates if the user is internal or contractor, that's also why I used the adapter.
              • 4. Re: AD Groups automatic provision
                LeylaDah
                If I'm not wrong the event handler should be used only for changes into the user form, isn't it? in my case I would need only the AD object form.
                • 5. Re: AD Groups automatic provision
                  Gyanprakash Pandey
                  We can use event handlers for resource objects as well in 11g. We can declare it in same way we do for user forms. You refer to event handler development guide for it.

                  regards,
                  GP
                  • 6. Re: AD Groups automatic provision
                    LeylaDah
                    So there is no way to recycle the Add User To Group? I should re-create something from scratch?
                    • 7. Re: AD Groups automatic provision
                      Saurabh Tripathi
                      Hey Leyla Dah,

                      It can be achieved with help of access policy , make a access policy based on some rule for that particular resource & when you attach a resource to a access policy, it give the facility to provide the predefined value on process form as well as child form.

                      Thanks,
                      user247
                      • 8. Re: AD Groups automatic provision
                        Gyanprakash Pandey
                        You can try it through access policies as suggested by user247. Keep event-handler as last option, as it may take little time to implement.

                        regards,
                        GP
                        • 9. Re: AD Groups automatic provision
                          A Dhiman
                          it might be a length process but u can try this:

                          u can have multiple rules and corresponding multiple roles in OIM.
                          Attach each of the rule based on that special attribute to each of the OIM role.

                          assign a individual access policy (which will add the user to a particular group in OID)

                          so , whenever a user satisifies a criteria he/she wil get added to the group, on additing to the group the access policy will get fired adding the user to the group.
                          • 10. Re: AD Groups automatic provision
                            Nishith Nayan
                            Hi Leyla Dah,

                            I got yor requirements,

                            Write a Process task adapter. pass your UDF, process inst key and AD group lookup name . Here you can decide what to add in the child table and then use OIM API to add in child form. you can add multiple groups like this.

                            Create an unconditional task under AD User process definition. attach in dependency list of create user.( even you can make it conditional and call on success of Create user. But group will be added after provisioning).


                            This is the fine approach to handle this.

                            If you want API for same let me know

                            --nayan                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
                            • 11. Re: AD Groups automatic provision
                              LeylaDah
                              I think I did something like you proposed, but there is an error into my procedure.

                              I created, as in "ADCS Add User To Group", a "Get Child Data" (it only changes the child table I'm reading from), and some "Add User To Group1", "Add User To Group2".. identical to the original "Add User to Group", the only difference is that at the place of the parameter "GroupName", I'm not using a "Resolve at runtime" value, but a literal one, with the Code Key of my "Lookup.AD.Reconciliation.GroupLookup2". (example: 7~CN=Member..).
                              This thing is not correctly adding the group, I'm not sure that I could use the method in this way, or I should do some additional things.
                              A part of this, after adding the Group1 and 2 I'm supposed to send the UDF field to a method, that would return if the user is internal or external.
                              According to the result, I will run the last "Add User To Group" to add one of the two groups.
                              What I'm missing is the java class to add the group, I don't understand still if I could implement the things just calling the tcUtilADTasks.addUserToGroup, as I'm currently doing.

                              Thank you
                              • 12. Re: AD Groups automatic provision
                                LeylaDah
                                This is gonna be hard, because I've 30+30 field to check, and those fields could change day by day: maintain such thing could be annoying..
                                I estimate more convenient to keep everything into the same java class, add a string to test if needed and redeploy everything.
                                • 13. Re: AD Groups automatic provision
                                  Nishith Nayan
                                  try with tcUtilADTasks.addUserToGroup and see how this behave. Otherwise, I suggest use normal OIM API to add entries(Groups) in child table. and there will be OOTB task on insert which will provision this to target system.
                                  • 14. Re: AD Groups automatic provision
                                    LeylaDah
                                    The provisioning has been archived with a Java customization, we decided to fill the groups information into the AD child table.

                                    Thank you