My Oracle Support Banner

OAM 11g: Access Policy Constraints Only Use Relative Group Names (Doc ID 1457926.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Access Manager - Version and later
Information in this document applies to any platform.


On : OAM SERVER version 

In the authorization policies, the group constraint proposes only the RDN of the known groups. The situation where there are many groups with the same RDN in the same User Identity store is not managed.
--> There are many lines with the same RDN for example cn=Group1.
--> When one of these RDN is chosen, any user who is member of any of the groups cn=Group1 is able to enter.

OAM takes in account the DN of the groups.

The issue can be reproduced at will with the following steps:
1. Create two groups with the same RDN but different DN (2 separate branches) in the DIT :
2. Create an authorisation policy
3. select the constraint tab > group
4. The two RDN are proposed as valid groups . Select one of them
5. Add user1 to the group cn=sales,ou=dept1,dc=mycompany,dc=com , Add user2 to the group cn=sales,ou=dept1,dc=mycompany,dc=com
6. Check that the two users are able to access the resource protected by the policy created in step2.

All the customers architecture using the same RDN for groups in their DIT won't be able to use the policy group constraint


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

This document is being delivered to you via Oracle Support's Rapid Visibility (RaV) process and therefore has not been subject to an independent technical review.
My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.