This discussion is archived
2 Replies Latest reply: Dec 10, 2012 4:39 PM by 792829 RSS

Microsoft AD Group and 12c External Role - Privileges issue

792829 Newbie
Currently Being Moderated
Hi

I have set up AD SSO for OEM 12c.

Signed on as User01.
Created an external role in OEM - same as that of an AD GROUP. Role/AD group Name: MY_ADMINS
Granted access to view all targets for this role.
But when I login as an user within that group ( USer01 is assigned to multiple AD GROUPS. There are other members in MY_ADMINS ) , I am unable to see ANY Target.

Can anyone help here? Has anyone worked on setting privileges based on AD GROUPS within OEM?

Thanks
  • 1. Re: Microsoft AD Group and 12c External Role - Privileges issue
    user704352 Newbie
    Currently Being Moderated
    AD setup with external roles is used by multiple customers.

    The following section in the Adminstrators Guide describes how to enable external AD authentication for EMGC users
    http://docs.oracle.com/cd/E24628_01/doc.121/e24473/security.htm#autoId13

    There are step-by-step instructions for configuring AD based authentication. Please make sure all these steps are followed.

    There are couple of places where we have seen issues with this integration
    - The role name in EM should be uppercase and should match exactly the name of the group.
    - The group base dn for AD authenticator configured needs to lookup for the groups in the right level.
    (this can be verified by accessing the Admin Console and verifying that groups are properly being listed).
  • 2. Re: Microsoft AD Group and 12c External Role - Privileges issue
    792829 Newbie
    Currently Being Moderated
    Thank you for the response. Thats exactly the same document that I used for reference and set up AD with EM 12c.

    The external ROLE has been set up the SAME way as the AD GROUP & in upper case. There are about 5 users in the AD GROUP. Not ALL 5 users have logged in to OEM. So they dont show up as users. Couple of users who have logged in, Are unable to see the targets though I had given the GROUP privileges to VIEW ALL TARGETS. I even tried giving ADMIN privileges just to make sure the AD GROUP and External ROLE works. THe user CANNOT see anything.

    As for the GROUP DN -> If I had not set it right, I wont be able to see the groups right?

    Anything else to check for?
    Thanks

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points