3 Replies Latest reply on Nov 4, 2019 8:28 AM by Srinath Menon-Oracle

    Read user attributes as Account from IDAM

    Sanjeev-OFM

      Hi Experts,

       

      We are using the WCC version 12.2.1.3.0 and enabled the account for additional security of document along with SecurityGroup and SSO enabled using OAM.

      Orgnization Hierarchy is mapped to account field (AuthGroup) to maintain the hierarchical structure, which value come from IDAM as group prefix with @ symbol which is working as excepted.

       

      As currently it's a manual process where IDAM Team will create the group and assign the user inside that group to access the document.

      but client want to automate it so we are facing the below difficulty.

       

      IDAM Team having the Orgnization Hierarchy is mapped to account field (AuthGroup) value in OIM user attribute profile

      but they are not able to move this (AuthGroup) value automatically to OUD due to that they have to create the role and assign the user manually in OUD.

       

      So want to check if at wcc end we can read the user attribute value as Group/Account.

       

      Kindly suggest.

        • 1. Re: Read user attributes as Account from IDAM
          Srinath Menon-Oracle

          IDAM Team having the Orgnization Hierarchy is mapped to account field (AuthGroup) value in OIM user attribute profile

          but they are not able to move this (AuthGroup) value automatically to OUD due to that they have to create the role and assign the user manually in OUD.

           

          I guess you are mentioning that the ldap sync process is not working fine in this environment and because of which the changes being done for user management / attributes do not replicate to OUD from which WCC is reading the user security. Is that correct?

           

          So, where exactly are you looking to automate the role assignment process? On the OUD side or WCC side ?

          Also, can you provide a live example for this case so that someone can review it and provide a possible solution ?

          • 2. Re: Read user attributes as Account from IDAM
            Sanjeev-OFM

            Hi Srinath,

             

            Actually OAM WCC integration has been done here for SSO.

            Current Implementation:

             

            User profile information will come from OIM and in OUD having the group, now these users will be added to OUD group.

            For Example:--->

            OIM User Profile--> user1 with below attributes

            1) name--> user1

            2) email--> user1@test.com

            3) role--->  org hierarcy 001/010/100/UP100/L140/RL0000190  etc.

             

            OUD Group:

            Group 1: SDWrite

            Group 2: @001/010/100/UP100/L140/RL0000190

            These two group manually assigned to user1 so when he logged in to wcc, roles will be mapped automatically and he can view the documents accordingly.

             

            but now we want to automate this process so that if user profile role is changed to xyz in OIM, then it should automatically mapped to user in new XYZ group(if group not available, create new group XYZ) in OUD or WCC so that when he logged in to wcc he can view the document.

             

            Kindly suggest how we can read this user profile role attribute value as wcc group so that user can view the documents beacause this role attributes value is changing very frequently.

             

            Thanks

            Sanjeev

            • 3. Re: Read user attributes as Account from IDAM
              Srinath Menon-Oracle

              User profile information will come from OIM and in OUD having the group, now these users will be added to OUD group.

              For Example:--->

              OIM User Profile--> user1 with below attributes

              1) name--> user1

              2) email--> user1@test.com

              3) role--->  org hierarcy 001/010/100/UP100/L140/RL0000190  etc.

               

              OUD Group:

              Group 1: SDWrite

              Group 2: @001/010/100/UP100/L140/RL0000190

              These two group manually assigned to user1 so when he logged in to wcc, roles will be mapped automatically and he can view the documents accordingly.

               

              but now we want to automate this process so that if user profile role is changed to xyz in OIM, then it should automatically mapped to user in new XYZ group(if group not available, create new group XYZ) in OUD

              If you want this kind of a requirement then LDAP Sync mechanism need to be enabled between OIM / OUD so that any changes in the user attributes / user creation / addition etc will be propagated to the target (OUD). Assuming it is OIM 11.1.2.3.0 environment here is the documentation for it : https://docs.oracle.com/cd/E52734_01/core/INOAM/oim.htm#INOAM1212

               

              Section 4.7 Configuring Oracle Identity Manager Server