2 Replies Latest reply: Dec 10, 2012 6:39 PM by 792829 RSS

    Microsoft AD Group and 12c External Role - Privileges issue

    792829
      Hi

      I have set up AD SSO for OEM 12c.

      Signed on as User01.
      Created an external role in OEM - same as that of an AD GROUP. Role/AD group Name: MY_ADMINS
      Granted access to view all targets for this role.
      But when I login as an user within that group ( USer01 is assigned to multiple AD GROUPS. There are other members in MY_ADMINS ) , I am unable to see ANY Target.

      Can anyone help here? Has anyone worked on setting privileges based on AD GROUPS within OEM?

      Thanks
        • 1. Re: Microsoft AD Group and 12c External Role - Privileges issue
          user704352
          AD setup with external roles is used by multiple customers.

          The following section in the Adminstrators Guide describes how to enable external AD authentication for EMGC users
          http://docs.oracle.com/cd/E24628_01/doc.121/e24473/security.htm#autoId13

          There are step-by-step instructions for configuring AD based authentication. Please make sure all these steps are followed.

          There are couple of places where we have seen issues with this integration
          - The role name in EM should be uppercase and should match exactly the name of the group.
          - The group base dn for AD authenticator configured needs to lookup for the groups in the right level.
          (this can be verified by accessing the Admin Console and verifying that groups are properly being listed).
          • 2. Re: Microsoft AD Group and 12c External Role - Privileges issue
            792829
            Thank you for the response. Thats exactly the same document that I used for reference and set up AD with EM 12c.

            The external ROLE has been set up the SAME way as the AD GROUP & in upper case. There are about 5 users in the AD GROUP. Not ALL 5 users have logged in to OEM. So they dont show up as users. Couple of users who have logged in, Are unable to see the targets though I had given the GROUP privileges to VIEW ALL TARGETS. I even tried giving ADMIN privileges just to make sure the AD GROUP and External ROLE works. THe user CANNOT see anything.

            As for the GROUP DN -> If I had not set it right, I wont be able to see the groups right?

            Anything else to check for?
            Thanks