Leveraging OES to modify OOTB Admin Role Authorization in OIM

If your client makes use of the out of the box admin roles in OIM 11gR2PS2, then you have no doubt run into a situation in which you need to grant additional authorization to a role. This can be done by extending the domain to include Oracle Entitlement Server and creating a new authorization policy. Oracle has a good note for extending your domain, located here

Recently, my client has requested that users in the admin HelpDesk role be able to modify an extranet lockout UDF on the user form but they did not want to grant blanket modify user authorization to the role. Here is the procedure I followed to accomplish this.

1. Open the OES authorization policy management console, located at http://AdminServerHost:7001/apm

2. Navigate to Applications à OIM à OIMDomain à Authorization Policies à Open à New

3. Select Effect: Permit

4. Name the new policy:

  • Name: OrclOIMUserHelpDeskUserAttributesPolicy
  • Display Name: OIM User HelpDesk Policy for modification of user attributes
  • Description: This policy defines which user attributes a member of the HelpDesk role can modify without approval.

5. Assign the HelpDesk role as the principal by navigating to the Search Results tab on the left and searching based on the following values:

  • For: Application Roles
  • In: OIM
  • Filter: *help*
  • Drag and drop the OIM User Password Admin to the principals section on the new policy

6. Click the green plus to add a new target:

  • Navigate to the Resources tab
  • Select Resource Expression
  • Select Resource Type: OIM User
  • Enter expression: .*
  • Add to targets

7. Navigate to the Obligations tab and add a new obligation: OrclOIMUserHelpDeskModifyUserObligation

8. Add a new obligation attribute:

  • Name: OrclOIMOrgScopingWithHierarchy
  • Data Type: Attribute
  • Value: OrclOIMUserHelpDeskOrgsWithHierarchy

9. Add a new obligation attribute:

  • Name: OrclOIMOrgScopingDirect
  • Data Type: Attribute
  • Value: OrclOIMUserHelpDeskOrgsDirect

10. Add a new obligation attribute to define whether or not an approval request should be generated when modifying a user:

  • Name: OrclOIMNeedApproval
  • Data Type: Boolean
  • Value: False

11. Add a new obligation attribute to deny modification without approval of all the attributes you do not want the Help Desk to modify. Add the attributes as a comma separated list:

  • Name: OrclOIMDeniedAttributesWithoutApproval
  • Data Type: String
  • Value: First Name, Middle Name, Last Name, Start Date, End Date


12. Click apply to save your new policy.

At this point you may be asking yourself “why isn’t this new policy working as expected?” That is because OOTB OIM does not correctly evaluate new authorization policies! This is due to a bug and can be mitigated by applying OIM one-off patch 19049156 to your OIM Oracle Home. 

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.