This content has been marked as final. Show 6 replies
Hi Nicola,Ok, that's why I don't see any ContentDB roles in OID...
Content DB security model is independent of OID's.
That being said, a number of customers are doingIs this done using the synchronization process between other system directories and OID, and the provisioning process between OID and Content DB ?
various levels of static synchronization with
security information contained in other
For example, CDB group synchronization with OID
thanksthanks to you !
Is this done using the synchronization processWe do have customers synchronizing directories - e.g. AD with OID.
between other system directories and OID, and the
provisioning process between OID and Content DB ?
And we also have customers using OID's directory provisioning integration service to monitor GROUP_ADD, GROUP_MODIFY, and GROUP_DELETE events in OID and respond with equivalent calls to CDB to update static group representations.
I have question for you. Currently I have OID-AD sync with ContentDB setup.
I have provisioning profile for contentdb working.
If I create groups in AD will getting added to OID by sync profile. But same time I do not see any group getting added to Contentdb.
Is this how it should work?
For me I need to create group in contentdb and add user to it. I can add my OID-AD user in that groups. Then I need to assign Contentdb's role to Groups.
I think I do have GROUP_ADD, GROUP_MODIFY, and GROUP_DELETE events in contentdb provisioning profile.
Does Contentdb's base installation has this event?
The directory integration platform provisioning profile in OID for Content DB is configured to send only USER events to the Content DB internal event table (via LDAP_NTFY procedure) which is in-turn processed by the OidCredentialManagerAgent :-
orclodipprovisioningeventsubscription=USER:cn=users, dc=oracle,dc=com:DELETEIn order to get group synchronization happening (OID to CDB), you would need to setup/develop everything related to the synchronization.
You would need a custom DIP provisioning profile for GROUP (Add Modify Delete) events.
You would need to implement your own orclODIPProvisioningIntegrationProfileV3 mechanism similar to what Content DB does. For example, have your own CDB schema similar to CONTENT$Id with LDAP_NTFY, but for group events.
You would need to implement your own custom event handler or Cron process that would monitor this table for events - and perform the necessary FDK calls to lookup/create/update groups in CDB with membership information from OID.
It's not overly complex - but not simple either. You're looking at a good 2 days of development from scratch.
In an ideal world, if I had more bandwidth I would post a whitepaper to demonstrate this. (Un)fortunately I'm 100% utilized on the URM integration with CDB.