1 Reply Latest reply: Feb 2, 2013 3:38 PM by Ruthmelnick-Oracle RSS

    OIM 11g: Access Denied searching usr_emp_no in post process event handler

    Ruthmelnick-Oracle
      I am logging in as xelsysadm and creating a new user. I have populated a UDF called Manager Employee Number with a value of 12345 and I have a corresponding user with the Employee Number populated with that same value.

      When I create the user, my code searches for a corresponding user in OIM with that employee number. The problem is that i am getting an access denied error searching use_emp_no. Ironically, in a different post process event handler, I have access to decrypting the user's password.

      I tried searching by Employee Number rather than use_emp_no (which is what is returned with AttributeName.EMPLOYEE_NUMBER.getId()) but that did not find any users. It did seem to attempt the search though.

      Here is the code and the error:

      //get the manager object and retrieve the user login and user key of the manager
      mgrRetAttrs.add("USER_LOGIN");
      mgrRetAttrs.add("USER_KEY");

      List<User> mgrList = searchUsr(mgrEmpNo, mgrRetAttrs);
      logger.finest("Retrieved " + mgrList.size() + " managers with that employee number.");
      ...

      private List<User> searchUsr(String mgrEmpNo, Set<String> mgrRetAttrs) throws AccessDeniedException, UserSearchException{
      logger.finest("************Entering BBTMgrIDPostProcEventHandler#searchUser()***********");
      logger.finest("This is the manager emp no we are searching: " + mgrEmpNo);
      SearchCriteria srchCriteria =
      new SearchCriteria(AttributeName.EMPLOYEE_NUMBER.getId(), mgrEmpNo, SearchCriteria.Operator.EQUAL);
      logger.finest("This is the search criteria: " + srchCriteria.toString());
      logger.finest("Exiting BBTMgrIDPostProcEventHandler#searchUser()");
      return getUserManager().search(srchCriteria, mgrRetAttrs, null);
      }

      ...

      private UserManager getUserManager() {
      logger.finest("Enter BBTMgrIDPostProcEventHandler#getUserManager()");

      if (this.userMgr == null) {
      this.userMgr = Platform.getService(UserManager.class);
      }
      logger.finest("Exit BBTMgrIDPostProcEventHandler#getUserManager()");
      return this.userMgr;
      }

      Entering BBTMgrIDPostProcEventHandler#execute()
      oracle.iam.platform.authz.exception.AccessDeniedException: You do not have permission to search the following user attributes: usr_emp_no.
      at oracle.iam.identity.usermgmt.impl.UserManagerImpl.search(UserManagerImpl.java:1699)
      at oracle.iam.identity.usermgmt.api.UserManagerEJB.searchx(Unknown Source)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
      at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
      at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
      at com.bea.core.repackaged.springframework.jee.spi.MethodInvocationVisitorImpl.visit(MethodInvocationVisitorImpl.java:37)
      at weblogic.ejb.container.injection.EnvironmentInterceptorCallbackImpl.callback(EnvironmentInterceptorCallbackImpl.java:54)
      at com.bea.core.repackaged.springframework.jee.spi.EnvironmentInterceptor.invoke(EnvironmentInterceptor.java:50)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
      at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
      at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
      at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
      at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
      at $Proxy328.searchx(Unknown Source)
      at oracle.iam.identity.usermgmt.api.UserManager_nimav7_UserManagerRemoteImpl.__WL_invoke(Unknown Source)
      at weblogic.ejb.container.internal.SessionRemoteMethodInvoker.invoke(SessionRemoteMethodInvoker.java:40)
      at oracle.iam.identity.usermgmt.api.UserManager_nimav7_UserManagerRemoteImpl.searchx(Unknown Source)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at weblogic.ejb.container.internal.RemoteBusinessIntfProxy.invoke(RemoteBusinessIntfProxy.java:85)
      at $Proxy196.searchx(Unknown Source)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
      at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:198)
      at $Proxy318.searchx(Unknown Source)
      at oracle.iam.identity.usermgmt.api.UserManagerDelegate.search(Unknown Source)
      at com.oracle.iam.bbt.eventhandler.BBTFindMgrID.searchUsr(BBTFindMgrID.java:244)
      at com.oracle.iam.bbt.eventhandler.BBTFindMgrID.executeEvent(BBTFindMgrID.java:189)
      at com.oracle.iam.bbt.eventhandler.BBTFindMgrID.execute(BBTFindMgrID.java:114)
      at oracle.iam.platform.kernel.impl.OrchProcessData.runPostProcessEvents(OrchProcessData.java:1168)
      at oracle.iam.platform.kernel.impl.OrchProcessData.runEvents(OrchProcessData.java:710)
      at oracle.iam.platform.kernel.impl.OrchProcessData.executeEvents(OrchProcessData.java:227)
      at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:674)
      at oracle.iam.platform.kernel.impl.OrchestrationEngineImpl.resumeProcess(OrchestrationEngineImpl.java:705)
      at oracle.iam.platform.kernel.impl.OrhestrationAsyncTask.execute(OrhestrationAsyncTask.java:108)
      at oracle.iam.platform.async.impl.TaskExecutor.executeUnmanagedTask(TaskExecutor.java:100)
      at oracle.iam.platform.async.impl.TaskExecutor.execute(TaskExecutor.java:70)
      at oracle.iam.platform.async.messaging.MessageReceiver.onMessage(MessageReceiver.java:68)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
      at com.bea.core.repackaged.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
      at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)
      at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)
      at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
      at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
      at $Proxy331.onMessage(Unknown Source)
      at weblogic.ejb.container.internal.MDListener.execute(MDListener.java:574)
      at weblogic.ejb.container.internal.MDListener.transactionalOnMessage(MDListener.java:477)
      at weblogic.ejb.container.internal.MDListener.onMessage(MDListener.java:379)
      at weblogic.jms.client.JMSSession.onMessage(JMSSession.java:4659)
      at weblogic.jms.client.JMSSession.execute(JMSSession.java:4345)
      at weblogic.jms.client.JMSSession.executeMessage(JMSSession.java:3821)
      at weblogic.jms.client.JMSSession.access$000(JMSSession.java:115)
      at weblogic.jms.client.JMSSession$UseForRunnable.run(JMSSession.java:5170)
      at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:528)
      at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
      at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
      Caused by: oracle.iam.identity.exception.SearchAttributeAccessDeniedException: You do not have permission to search the following user attributes: usr_emp_no.
      at oracle.iam.identity.usermgmt.impl.UserManagerImpl.search(UserManagerImpl.java:1696)
      ... 76 more

      Thanks,
      Ruth
        • 1. Re: OIM 11g: Access Denied searching usr_emp_no in post process event handler
          Ruthmelnick-Oracle
          This is what fixed the problem:

          Instead of the following:
          //get the manager object and retrieve the user login and user key of the manager
          mgrRetAttrs.add("USER_LOGIN");
          mgrRetAttrs.add("USER_KEY");


          I needed to do this instead:
          mgrRetAttrs.add(UserManagerConstants.AttributeName.USER_LOGIN.getId());
          mgrRetAttrs.add(UserManagerConstants.AttributeName.USER_KEY.getId());

          Then I changed the searchCriteria back to the following:
          SearchCriteria srchCriteria =
          new SearchCriteria("Employee Number", "12345", SearchCriteria.Operator.EQUAL);

          This did the trick.
          Ruth