OAM 11g: Access Policy Constraints Only Use Relative Group Names (Doc ID 1457926.1)

Last updated on MAY 24, 2022

Applies to:

Symptoms

On : OAM SERVER version 11.1.1.5.0 

ACTUAL BEHAVIOR
---------------
In the authorization policies, the group constraint proposes only the RDN of the known groups. The situation where there are many groups with the same RDN in the same User Identity store is not managed.
--> There are many lines with the same RDN for example cn=Group1.
--> When one of these RDN is chosen, any user who is member of any of the groups cn=Group1 is able to enter.

EXPECTED BEHAVIOR
-----------------------
OAM takes in account the DN of the groups.

STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Create two groups with the same RDN but different DN (2 separate branches) in the DIT :
        cn=sales,ou=dept1,dc=<COMPANY>
        cn=sales,ou=dept2,dc=<COMPANY>
2. Create an authorization policy
3. select the constraint tab > group
4. The two RDN are proposed as valid groups . Select one of them
5. Add user1 to the group cn=sales,ou=dept1,dc=<COMPANY> , Add user2 to the group cn=sales,ou=dept1,dc=<COMPANY>
6. Check that the two users are able to access the resource protected by the policy created in step2.

BUSINESS IMPACT
-----------------------
All the customers architecture using the same RDN for groups in their DIT won't be able to use the policy group constraint

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.