OAM Does Not Deny / Allow Access Based On OID Dynamic Group Membership
Last updated on MARCH 08, 2017
Applies to:COREid Access - Version: 10.1.4.3.0
Information in this document applies to any platform.
A Dynamic Group has been created in OID 11g such that if user entries has a specific 'manager' attribute value they are automatically members of the group.
An OAM Authentication or Authorization Rule has been configured to Allow or Deny Access to members of the OID dynamic group.
However when the protected resource is accessed, users are not allowed or denied access based on their dynamic group membership.
Policy Manager Access Tester results show that access is not being allowed or denied based on dynamic group membership.
The same problem occurs with WebGate / Access Server: users accessing a resource protected by a Policy that references the OID dynamic group
The configuration of the OID dynamic group appears to be correct. If an ldapsearch is issued directly against OID to retrieve the dynamic group attributes, the expected uniquemember values are shown.
Example ldapsearch command and output: showing uniquemember values returned by OID:
OID_HOME/bin/ldapsearch -p 389 -D "cn=orcladmin" -w welcome1 -b "cn=dyngroup,cn=groups,dc=oracle,dc=com" -s base "(objectclass=*)"
description: dynamic group membership test
displayname: Test Dynamic Group
In OAM 10g Group Manager, the group profile shows the expected users as group members.
Steps to reproduce
1. Create a dynamic group in OID using 'CONNECT BY' assertion, based on a specific manager value.
2. Create or modify two existing users in OID to set their manager attribute so they are members of the dynamic group.
3. In OAM Policy Manager, configure an OAM Authentication or Authorization Rule in a Policy Domain having:
Allow takes precedence: No43. Test access to the application resource using Access Tester, for the two dynamic group members. Access Tester results will show Authorized: Yes although access should be denied.
Allow Access: Any one (role)
Deny Access: <dynamic group name>
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms