OAM Does Not Deny / Allow Access Based On OID Dynamic Group Membership (Doc ID 1323803.1)

Last updated on MARCH 08, 2017

Applies to:

COREid Access - Version: 10.1.4.3.0 and later   [Release: and later ]
Information in this document applies to any platform.

Symptoms

Oracle Access Manager (OAM) is configured with Oracle Internet Directory (OID) as LDAP store for OAM User Data. OID users can login to OAM-protected applications successfully.

A Dynamic Group has been created in OID 11g such that if user entries has a specific 'manager' attribute value they are automatically members of the group.

An OAM Authentication or Authorization Rule has been configured to Allow or Deny Access to members of the OID dynamic group.

However when the protected resource is accessed, users are not allowed or denied access based on their dynamic group membership.

Policy Manager Access Tester results show that access is not being allowed or denied based on dynamic group membership. 

The same problem occurs with WebGate / Access Server: users accessing a resource protected by a Policy that references the OID dynamic group

The configuration of the OID dynamic group appears to be correct. If an ldapsearch is issued directly against OID to retrieve the dynamic group attributes, the expected uniquemember values are shown.

Example ldapsearch command and output: showing uniquemember values returned by OID:

OID_HOME/bin/ldapsearch -p 389 -D "cn=orcladmin" -w welcome1 -b "cn=dyngroup,cn=groups,dc=oracle,dc=com" -s base "(objectclass=*)"

dn: cn=dyngroup,cn=groups,dc=oracle,dc=com
uniquemember: cn=user1,cn=users,dc=oracle,dc=com
uniquemember: cn=user2,cn=users,dc=oracle,dc=com
....
cn: dynamic_test
description: dynamic group membership test
orclconnectbyattribute: manager
orclconnectbystartingvalue: cn=manager1,cn=users,dc=oracle,dc=com
displayname: Test Dynamic Group
objectclass: groupOfUniqueNames
objectclass: orclGroup
objectclass: orclDynamicGroup
objectclass: top
objectclass: oblixgroup


In OAM 10g Group Manager, the group profile shows the expected users as group members.



Steps to reproduce

1. Create a dynamic group in OID using 'CONNECT BY' assertion, based on a specific manager value.
2. Create or modify two existing users in OID to set their manager attribute so they are members of the dynamic group.
3. In OAM Policy Manager, configure an OAM Authentication or Authorization Rule in a Policy Domain having:
Allow takes precedence: No
Allow Access: Any one (role)
Deny Access: <dynamic group name>
43. Test access to the application resource using Access Tester, for the two dynamic group members. Access Tester results will show Authorized: Yes although access should be denied.


Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms