Saturday, December 10, 2016

OIM 11g PS3 : Creating Access Policies using OIM Client APIs

This post is about creating Access Policies in OIM programmatically using Java APIs provided by OIM. Access policies are used in OIM for automatic provisioning of target systems to users.

To start, there is a very good Oracle Blog on OIM Java APIs. Download the code through the link provided in the blog, this will help in setting up the initial code structure and creating connection with OIM. Provide the OIM connection details as per your environment in Client.java and see if you are able to connect.

Copy Authwl.conf

Client.java
 package oim.client;  
 import java.util.Hashtable;  
 import oracle.iam.platform.OIMClient;  
 //===================================================================  
 public abstract class Client  
 //===================================================================  
 {  

   private static final String OIM_URL = "t3://:14000"; // OIM 11g deployment  
   private static final String AUTH_CONF = ""; // "/app/oracle/product/ofm/Oracle_IAM1/server/config/authwl.conf"  
   private static final String APPSERVER_TYPE = "wls";  
   private static final String WEBLOGIC_NAME = "<OIM Managed Server Name>";  
   protected static final String OIM_USERNAME = "<OIM Admin Username>";  
   protected static final String OIM_PASSWORD = "<Password>";   
   protected static final String NULL = "(null)";  
   protected static final String NL = "\n";  
   protected static final String SP = "\t";  
   protected OIMClient _oimClientAuthen = null;  
   protected OIMClient _oimClientAnon = null;  
   //----------------------------------------------------------------  
   public Client() throws Exception  
   //----------------------------------------------------------------  
   {  
    Hashtable<String, String> env = new Hashtable<String, String>();  
    System.setProperty("java.security.auth.login.config", AUTH_CONF);  
    System.setProperty("APPSERVER_TYPE", APPSERVER_TYPE);  
    System.setProperty("weblogic.Name", WEBLOGIC_NAME);  
    env.put(OIMClient.JAVA_NAMING_FACTORY_INITIAL, "weblogic.jndi.WLInitialContextFactory");  
    env.put(OIMClient.JAVA_NAMING_PROVIDER_URL, OIM_URL);  
    _oimClientAuthen = new OIMClient(env);  
    _oimClientAuthen.login(OIM_USERNAME, OIM_PASSWORD.toCharArray());  
    _oimClientAnon = new OIMClient(env);  
    return;  
   }  
   //----------------------------------------------------------------  
   protected abstract void execute() throws Exception;  
   //----------------------------------------------------------------

There are two types of OIM Java apis - Old Thor APIs & New Oracle APIs. I am not able to find any method under new Oracle APIs to create Access policy, so I used the old Thor API to do that. I used the new Oracle APIs to populate Access policy data, parent and child process forms, and assigning Access policies to role. 

 package oim.client.policy;  
 import oim.client.Client;  
 //General Java Imports  
 import java.util.ArrayList;  
 import java.util.HashMap;  
 import java.util.List;  
 import java.util.Map;  
 //Thor APIs  
 import com.thortech.xl.vo.AccessPolicyResourceData;  
 import Thor.API.tcResultSet;  
 import Thor.API.Operations.tcAccessPolicyOperationsIntf;  
 import Thor.API.Operations.tcAccessPolicyOperationsIntf.PolicyNLAObjectActionType;  
 //OIM 11g R2 APIs  
 import java.util.Collections;  
 import oracle.iam.accesspolicy.api.AccessPolicyService;  
 import oracle.iam.provisioning.api.ApplicationInstanceService;  
 import oracle.iam.identity.rolemgmt.api.RoleManager;  
 import oracle.iam.identity.rolemgmt.vo.Role;  
 import oim.client.role.ClientRole;  
 import oracle.iam.identity.rolemgmt.api.RoleManagerConstants;  
 import oracle.iam.platform.entitymgr.vo.SearchCriteria;  
 import oracle.iam.platform.entitymgr.vo.SearchRule;  
 import oracle.iam.provisioning.exception.ApplicationInstanceNotFoundException;  
 import oracle.iam.provisioning.exception.GenericAppInstanceServiceException;  
 import oracle.iam.provisioning.vo.ApplicationInstance;  
 import oracle.iam.provisioning.vo.FormField;  
 import oracle.iam.provisioning.vo.FormInfo;  
 public abstract class ClientPolicy extends Client {  
   protected AccessPolicyService _service = null;  
   protected ApplicationInstanceService _appInstanceService = null;  
   protected tcAccessPolicyOperationsIntf _moAccesspolicyutility = null;  
   public RoleManager rmgr;  
   //----------------------------------------------------------------  
   public ClientPolicy() throws Exception  
   //----------------------------------------------------------------  
   {  
     super();  
     //Get all the services instances  
     _service = _oimClientAuthen.getService(AccessPolicyService.class);  
     _moAccesspolicyutility =  
         _oimClientAuthen.getService(tcAccessPolicyOperationsIntf.class);  
     rmgr = _oimClientAuthen.getService(RoleManager.class);  
     _appInstanceService =  
         _oimClientAuthen.getService(ApplicationInstanceService.class);  
     return;  
   }  
   /**  
    * Create Access Policy and return key  
    * @param policyName  
    * @param accessPolicy  
    * @param appInstanceName - Currently code works only for OUD App Instance  
    * @param groupList  
    * @return  
    */  
   public long createAccessPolicy(String policyName, String accessPolicy,  
                   String appInstanceName, List<String> groupList) {  
     long policyKey = 0;  
     try {  
       HashMap<String, String> attr = new HashMap<String, String>();  
       ApplicationInstance appInstance =  
         findApplicationInstanceByName(appInstanceName);  
       //Resource Objects and IT Resource Key and names  
       Long objKey = appInstance.getObjectKey();  
       String objName = appInstance.getObjectName();  
       String itResourceKey =  
         Long.toString(appInstance.getItResourceKey());  
       //Get Parent Form and Child Form  
       FormInfo parentForm = appInstance.getAccountForm();  
       long parentFormKey = parentForm.getFormKey();  
       String parentFormName = parentForm.getName();  
       FormInfo childFormGrp = appInstance.getChildForms().get(0);  
       long childFormGrpKey = childFormGrp.getFormKey();  
       String childFormGrpName = childFormGrp.getName();  
       //Access Policy attributes  
       //Check https://docs.oracle.com/cd/E52734_01/oim/OMJAV/Thor/API/Operations/tcAccessPolicyOperationsIntf.html  
       attr.put("Access Policies.Name", policyName); // Policy Name  
       attr.put("Access Policies.Description", accessPolicy);  
       attr.put("Access Policies.Retrofit Flag", "1"); // Retrofit Flag  
       //Resource Object Key to be provisioned  
       long[] provObjKeys = { objKey };   
       PolicyNLAObjectActionType[] actionIfPolNotApply = { PolicyNLAObjectActionType.REVOKE }; //Revoke If No Longer Applies Flag  
       long[] denyObjKeys = { }; //Object key of Resource to be denied  
       //Populate Parent Form Data  
       HashMap<String, String> parentFormData =  
         new HashMap<String, String>();  
       //Check the process form for the resource object to get the column names  
       //These field names are only applicable for OUD Application Instance  
       parentFormData.put("UD_LDAP_USR_SERVER", itResourceKey);  
       parentFormData.put("UD_LDAP_USR_ORGANIZATION",  
                 itResourceKey + "~" +  
                 "ou=People,dc=idmworks,dc=com");  
       //Set Parent Form Data  
       int groupLength =  
         groupList.size(); // Get the count of the no of groups or entititlements to be provisioned  
       AccessPolicyResourceData policyData[] =  
         new AccessPolicyResourceData[groupLength];  
       String groupPrefix = itResourceKey + "~";  
       //Populate Child Form Data  
       for (int i = 0, j = 0; i < groupLength; i++, j++) {  
         String groupName = groupPrefix + groupList.get(i).trim();  
         System.out.println(groupName);  
         policyData[j] =  
             new AccessPolicyResourceData(objKey, objName, parentFormKey,  
                            parentFormName, "P");  
         policyData[j].setFormData(parentFormData);  
         //Create a map to put child form fields values  
         HashMap childTableMap = new HashMap();  
         //For OUD App Instance - Child   
         childTableMap.put("UD_LDAP_GRP_GROUP_NAME", groupName);  
         policyData[j].addChildTableRecord(Long.toString(childFormGrpKey),  
                          "fChildName", "Add",  
                          childTableMap);  
       }  
       policyKey =  
           _moAccesspolicyutility.createAccessPolicy(attr, provObjKeys,  
                                actionIfPolNotApply,  
                                denyObjKeys,  
                                policyData);  
     } catch (Exception e) {  
       e.printStackTrace();  
     }  
     return policyKey;  
   }  

   /**  
    * Assign access policy to role  
    * @param roleName  
    * @param policyName  
    * @throws Exception  
    */  
   public void assignAccessPolicyToRole(String roleName,  
                      String policyName) throws Exception {  
     SearchCriteria criteria = null;  
     List<Role> roles = Collections.EMPTY_LIST;      
     // Search for roles by role name  
     criteria = new SearchCriteria(RoleManagerConstants.ROLE_NAME, roleName, SearchCriteria.Operator.EQUAL);  
     roles = rmgr.search(criteria, null, null);  
     if (roles.isEmpty()) {  
       System.out.println("Role not found");  
       return;  
     } else {  
       HashMap<String, Object> mapAttrs = new HashMap<String, Object>();  
       //Add the list of access polices to add  
       //Key: "Add" and Value - Access Policy Keys List  
       Map<String, List<String>> accessPoliciesMap =  
         new HashMap<String, List<String>>();  
       List<String> accessPoliciesAddList = new ArrayList<String>();  
       accessPoliciesAddList.add(Long.toString(getAccessPolicyKey(policyName)));  
       accessPoliciesMap.put("ADD", accessPoliciesAddList);  
       mapAttrs.put(RoleManagerConstants.ACCESS_POLICIES,  
              accessPoliciesMap);  
       Role role = new Role(mapAttrs);  
       rmgr.modify(RoleManagerConstants.ROLE_NAME, roleName, role);  
     }  
   }  
   /**  
    * Get Access policy key  
    * @param policyName  
    * @return  
    * @throws Exception  
    */  
   private long getAccessPolicyKey(String policyName) throws Exception {  
     HashMap attributeList = new HashMap();  
     attributeList.put("Access Policies.Name", policyName);  
     long policyKey = 0;  
     tcResultSet result =  
       _moAccesspolicyutility.findAccessPolicies(attributeList);  
     if (!result.isEmpty()) {  
       result.goToRow(0);  
       policyKey = result.getLongValue("Access Policies.Key");  
     }  
     return policyKey;  
   }  
   /**  
    * Find Application Instance By Name  
    * @param applicationInstanceName  
    * @return  
    * @throws ApplicationInstanceNotFoundException  
    * @throws GenericAppInstanceServiceException  
    */  
   private ApplicationInstance findApplicationInstanceByName(String applicationInstanceName) throws ApplicationInstanceNotFoundException,  
       GenericAppInstanceServiceException {  
     ApplicationInstance appInstance =  
       _appInstanceService.findApplicationInstanceByName(applicationInstanceName);  
     return appInstance;  
   }   
 }






Posted by at
Labels:

2 comments:

Subscribe to: Post Comments (Atom)