This content has been marked as final. Show 6 replies
There were two avenues to solve this kind of issue (the second approach would only work if the customer supports anonymous access):
- Restrict that attribute to the e-mail server's application entity using an orclaci.
- Restrict that attribute to 'anonymous' and enable anonymous mode for user data lookups.
I know that option #1 was considered for the GIT deployment, but looking at their ACL, it seems that another approach was finally taken. I'll check with them and someone will reply back to this thread today. Taking the second approach might have an upgrade side-effect with a future version, WAC will likely need access to some attributes that are currently hidden from anonymous (e.g. user's provisioning status for e-mail).
Once I get the details from GIT, someone will update this thread.
My apologies, I didn't realize that this forum was accessible to people outside Oracle. GIT is our internal IT department, I had to validate some details about what was done and make sure there were no dire side-effects.
I accomplished hiding the employeeNumber attribute in our test environment by modifying the orclaci for the user search base. Here are the steps:
*** 1) Create an file (named ./update.ldif) with the orclaci modification information:
Note: Replace the dn with that of your user search base.
Note: The text below is whitespace-sensitive, esp. the indented line.
orclaci: access to attr=(employeeNumber)
by dn="cn=EMailServerContainer,cn=Products,cn=OracleContext" (none)
*** 2) Run the ldapmodify command with the ldif file, replace valus in <brackets>.
ldapmodify -v -h <oid_host> -D <oid_administrator_dn> \
-w <oid_administrator_password> -f ./update.ldif
*** 3) The step 2 will cause errors when searching on 'All' in the search pane,
make sure you disable searching on that attribute in
*** 4) Restart the OC4J_OCSClient container to clear the directory cache.
$ORACLE_HOME/opmn/bin/opmnctl restartproc gid=OC4J_OCSClient
These steps have been tested and work on my test system, please reply back to this thread if there are any issues. Also, you can use the following technical documents for more information:
OCS Administrator's Guide - Customizing Access Control Lists:
OID Administrator's Guide:
Thank you Andrew for your detailed response. Now we actually need to hide the whole Corporate Directory so it isn't accessible from the contacts tab within Web Access Client due to FERPA issues. From your last response do you think this will be possible?
Down the road it would be nice when we add a new user to OID we pass in an attribute that indicates whether-or-not the user wishes to have their information such as their email address listed in the corporate directoryl.
But for now we really need to disable the corporate directory before rolling OCS 10g R2 out live because right now any user can see each other's email address and this can be a show stopper for us.
This isn't currently supported by WAC (but you're not the only person asking about it). There are two things that can be done for now:
1) Have someone log an enhancement request on WAC.
2) As a work-around, modify the user search 'AND' condition such that no entries are returned.
Refer to this section in the OCS release notes: (scroll down to the sub-section entitled "184.108.40.206 Placing Constraints on Directory Entries Returned by the Oracle Web Access Client"
Something like this might do (in $ORACLE_HOME/j2ee/OC4J_OCSClient/config/oc4j.properties):
If you need to hide DLs and their members as well, try this:
Also, you may want to make sure that the students are not part of a management chain. Otherwise, clicking on 'Managers and Peers' or 'Direct Reports' in corporate directory might show sensitive user data (the 'AND' condition is not applied for that since it's an ID lookup).
The side-effect is that in the contacts component, all the corporate directory UI will be enabled, except that no data will be shown. Please let me know if that's a problem for the work-around. I think there is a way to update the resource bundle for the list pane message stating 'Use the search controls in the bottom left corner to display Corporate Directory contacts.' Maybe this could be updated to say 'Corporate Directory is unavailable.' (just a thought).
Here is the link to update the resource bundle strings:
Just so I know, are you blocking end-user and/or anonymous ldap lookups on this data using ACLs?
Message was edited by: