OAM 11g: Access Policy Constraints Only Use Relative Group Names (Doc ID 1457926.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Access Manager - Version 11.1.1.5.0 and later
Information in this document applies to any platform.

Symptoms

On : OAM SERVER version 11.1.1.5.0 

ACTUAL BEHAVIOR
---------------
In the authorization policies, the group constraint proposes only the RDN of the known groups. The situation where there are many groups with the same RDN in the same User Identity store is not managed.
--> There are many lines with the same RDN for example cn=Group1.
--> When one of these RDN is chosen, any user who is member of any of the groups cn=Group1 is able to enter.

EXPECTED BEHAVIOR
-----------------------
OAM takes in account the DN of the groups.

STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Create two groups with the same RDN but different DN (2 separate branches) in the DIT :
        cn=sales,ou=dept1,dc=mycompany,dc=com
        cn=sales,ou=dept2,dc=mycompany,dc=com
2. Create an authorisation policy
3. select the constraint tab > group
4. The two RDN are proposed as valid groups . Select one of them
5. Add user1 to the group cn=sales,ou=dept1,dc=mycompany,dc=com , Add user2 to the group cn=sales,ou=dept1,dc=mycompany,dc=com
6. Check that the two users are able to access the resource protected by the policy created in step2.

BUSINESS IMPACT
-----------------------
All the customers architecture using the same RDN for groups in their DIT won't be able to use the policy group constraint

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms