6 Replies Latest reply: May 10, 2006 8:18 PM by Tracey-Oracle RSS

    How do you hide Details in the Contacts - Corporate Directory???

    501199
      After creating a new user in OID with the employeenumber attribute getting populated, and automatically provisioning components in OCS, I go into Web Access Client and click on the Contacts tab and bring up all the users in the corporate directory. If I click on a user, a bunch of tabs accross the bottom appear such as: Business, Personal, Details, et cetea. Under Details it is showing the value of the employee ID I populated in OID under the employeenumber attribute. I want to hide this value. I went into OIDDAS and unchecked the viewable box and it still shows up. Is there a way to hide this value? After deleting the value in the employeenumber attribute in OID it was still showing up, so we cleared out the ocs cache and it finally disappeard. But I want to keep this value but hide it from ocs components.

      Thank you,
      Dwight
        • 1. Re: How do you hide Details in the Contacts - Corporate Directory???
          501294
          Hi Dwight.

          There were two avenues to solve this kind of issue (the second approach would only work if the customer supports anonymous access):

          - Restrict that attribute to the e-mail server's application entity using an orclaci.
          - Restrict that attribute to 'anonymous' and enable anonymous mode for user data lookups.

          I know that option #1 was considered for the GIT deployment, but looking at their ACL, it seems that another approach was finally taken. I'll check with them and someone will reply back to this thread today. Taking the second approach might have an upgrade side-effect with a future version, WAC will likely need access to some attributes that are currently hidden from anonymous (e.g. user's provisioning status for e-mail).

          Once I get the details from GIT, someone will update this thread.

          -Andrew
          • 2. Re: How do you hide Details in the Contacts - Corporate Directory???
            501199
            Andrew, were you able to find out the solution GIT took?

            Thanks,

            Dwight
            • 3. Re: How do you hide Details in the Contacts - Corporate Directory???
              501294
              Hi Dwight.

              My apologies, I didn't realize that this forum was accessible to people outside Oracle. GIT is our internal IT department, I had to validate some details about what was done and make sure there were no dire side-effects.

              I accomplished hiding the employeeNumber attribute in our test environment by modifying the orclaci for the user search base. Here are the steps:

              *** 1) Create an file (named ./update.ldif) with the orclaci modification information:
              Note: Replace the dn with that of your user search base.
              Note: The text below is whitespace-sensitive, esp. the indented line.

              dn: cn=Users,dc=us,dc=oracle,dc=com
              changetype: modify
              add: orclaci
              orclaci: access to attr=(employeeNumber)
              by dn="cn=EMailServerContainer,cn=Products,cn=OracleContext" (none)

              *** 2) Run the ldapmodify command with the ldif file, replace valus in <brackets>.

              ldapmodify -v -h <oid_host> -D <oid_administrator_dn> \
              -w <oid_administrator_password> -f ./update.ldif

              *** 3) The step 2 will cause errors when searching on 'All' in the search pane,
              make sure you disable searching on that attribute in
              $ORACLE_HOME/j2ee/OC4J_OCSClient/config/oc4j.properties.

              oracle.ocsclient.directory.capability.search.attr.employeenumber=disabled

              *** 4) Restart the OC4J_OCSClient container to clear the directory cache.

              $ORACLE_HOME/opmn/bin/opmnctl restartproc gid=OC4J_OCSClient


              These steps have been tested and work on my test system, please reply back to this thread if there are any issues. Also, you can use the following technical documents for more information:

              OCS Administrator's Guide - Customizing Access Control Lists:
              http://download-west.oracle.com/docs/cd/B25553_01/collab.1012/b25490/ch_active_directory.htm#sthref1473

              OID Administrator's Guide:
              http://download-west.oracle.com/docs/cd/B14099_11/idmanage.1012/b14082/toc.htm

              Regards,
              -Andrew
              • 4. Re: How do you hide Details in the Contacts - Corporate Directory???
                501199
                Thank you Andrew for your detailed response. Now we actually need to hide the whole Corporate Directory so it isn't accessible from the contacts tab within Web Access Client due to FERPA issues. From your last response do you think this will be possible?

                Down the road it would be nice when we add a new user to OID we pass in an attribute that indicates whether-or-not the user wishes to have their information such as their email address listed in the corporate directoryl.

                But for now we really need to disable the corporate directory before rolling OCS 10g R2 out live because right now any user can see each other's email address and this can be a show stopper for us.

                Thank you,

                Dwight
                • 5. Re: How do you hide Details in the Contacts - Corporate Directory???
                  501294
                  Hi Dwight.

                  This isn't currently supported by WAC (but you're not the only person asking about it). There are two things that can be done for now:

                  1) Have someone log an enhancement request on WAC.
                  2) As a work-around, modify the user search 'AND' condition such that no entries are returned.

                  Refer to this section in the OCS release notes: (scroll down to the sub-section entitled "4.7.3.2 Placing Constraints on Directory Entries Returned by the Oracle Web Access Client"

                  http://download-west.oracle.com/docs/cd/B25553_01/relnotes.1012/b25475/suite.htm#WACsearch

                  Something like this might do (in $ORACLE_HOME/j2ee/OC4J_OCSClient/config/oc4j.properties):

                  oracle.ocsclient.directory.ldap.userobjectandcondition=(objectclass=foobar)

                  If you need to hide DLs and their members as well, try this:

                  oracle.ocsclient.directory.ldap.dlobjectandcondition=(objectclass=foobar)

                  Also, you may want to make sure that the students are not part of a management chain. Otherwise, clicking on 'Managers and Peers' or 'Direct Reports' in corporate directory might show sensitive user data (the 'AND' condition is not applied for that since it's an ID lookup).

                  The side-effect is that in the contacts component, all the corporate directory UI will be enabled, except that no data will be shown. Please let me know if that's a problem for the work-around. I think there is a way to update the resource bundle for the list pane message stating 'Use the search controls in the bottom left corner to display Corporate Directory contacts.' Maybe this could be updated to say 'Corporate Directory is unavailable.' (just a thought).

                  Here is the link to update the resource bundle strings:
                  http://download-west.oracle.com/docs/cd/B25553_01/collab.1012/b25490/ch_customizing.htm#BABJIBJG

                  Just so I know, are you blocking end-user and/or anonymous ldap lookups on this data using ACLs?

                  Cheers,
                  -Andrew

                  Message was edited by:
                  andrew.edwards@oracle.com
                  • 6. Re: How do you hide Details in the Contacts - Corporate Directory???
                    Tracey-Oracle
                    Hi All,

                    ER has been logged for hiding corporate directory.
                    See bug:5150859
                    with abstract - ER: SHOULD BE ABLE TO HIDE CORPORATE DIRECTORY

                    Thanks.,