“Failed to modify policy! : The subject field in a rule cannot be longer than 2000 characters” error while importing OES policies in 10g

The requirement is to add an authorization policy for permissions (containing Roles + LDAP Groups) for a resource against an action. I have exported the policy XML from the OES using policyIX.sh and tried updating the authorization policy. The ATZ policy XML block will be as shown below:

<xb:authorization_policy_entry>
<xb:policy_effect value=”grant”/>
<xb:policy_actions>
<xb:policy_action_entry value=”MyAction”/>
</xb:policy_actions>
<xb:policy_resources>
<xb:policy_resource_entry value=”//resources/MyApp/MyResource”/>
</xb:policy_resources>
<xb:policy_subjects>

<xb:policy_group_entry name=”Group1″ directory=”TMobileDir” scope=”RootOrg!TMobileOrg”/>
<xb:policy_group_entry name=”Group2″ directory=”TMobileDir” scope=”RootOrg!TMobileOrg”/>
<xb:policy_group_entry name=”Group3″ directory=”TMobileDir” scope=”RootOrg!TMobileOrg”/>
<xb:policy_group_entry name=”Group4″ directory=”TMobileDir” scope=”RootOrg!TMobileOrg”/>
…………………
…………………
<xb:policy_role_entry value=”Role1″/>
<xb:policy_role_entry value=”Role2″/>
…………………
…………………
</xb:policy_subjects>
</xb:authorization_policy_entry>

Please note that Groups should be placed first and then Roles in the Policy Subjects.

I have tried importing XML using policyIX.sh and resulted with below error.

Importing roles …

all roles finished

Importing policies …

Policy Propagation is terminated

failed to create application RootOrg!MyOrg!MyApp for

failed to create authorization policy: Policy Text = grant ( MyAction, //resources/MyApp/MyResource, [GROUP:RootOrg!MyOrg:LDAPDir:Group1, GROUP:RootOrg!MyOrg:LDAPDir:Group2, GROUP:RootOrg!MyOrg:LDAPDir:Group3, ………………………………………………………
………………………………………………………
………………………………………………………
, ROLE:Role1, ROLE:Role2, ROLE:Role3,
………………………………………………………
………………………………………………………
………………………………………………………
ROLE:Role40]) if true; for

The subject field in a rule cannot be longer than 2000 characters.

It is perhaps clear from the error that max size limit is 2000 characters for policy subject value. So I have calculated the characters using a tool and found it is around 2400 characters.

So the next attempt is to include just the roles in policy Subjects and imported the policy and is through. So I have tried manually adding the Groups to the policy subjects using OES Admin console which resulted in below error.

 

 

 

 

 

 

 

The next attempt is to create a new authorization policy with just adding Groups in Policy Subjects and then the import is succesful. So totally I have created two authorization policies for same set of actions and resources but seperated the policy subjects Roles and Groups into each other.

Share This Post with Your Friends over Social Media!

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

[index]
[index]
[523.251,1046.50]
[523.251,1046.50]
[523.251,1046.50]
[523.251,1046.50]
[i]
[i]
[index]
[index]
[523.251,1046.50]
[523.251,1046.50]