Policies import failed in OES 10g

I have created an XML for various OES elements such as Actions/Resources/Roles/RolePolicies/Authorization Policies.

What is already existing in OES ?

Application is created through OES Admin console and the necessary identities such as groups/users are added in OES console (choose ASI console).

Importing policies:

$ ./policyIX.sh -import -disableTransaction ../config/App_policyIX_config.xml  App_Policies.xml

Error in command output:

Uploading file:/opt/oracle/bea/wls10_3/ales32-admin/bin/../config/App_policyIX_config.xml 
Upload complete
Uploading file:/opt/oracle/bea/wls10_3/ales32-admin/bin/App_Policies.xml
Upload complete
Policy Propagation is terminated

invalid xml element found:

>> /opt/oracle/bea/wls10_3/ales32-admin/asiDomain/../work/PolicyPropagation/policy.xml:0: error: cvc-complex-type.2.4a: Expected element ‘policy_role_entry@http://policypropagation.ales.com/xmlbean’ instead of ‘policy_group_entry@http://policypropagation.ales.com/xmlbean’ here in element policy_subjects@http://policypropagation.ales.com/xmlbean

>> /opt/oracle/bea/wls10_3/ales32-admin/asiDomain/../work/PolicyPropagation/policy.xml:0: error: cvc-complex-type.2.4a: Expected element ‘policy_role_entry@http://policypropagation.ales.com/xmlbean’ instead of ‘policy_group_entry@http://policypropagation.ales.com/xmlbean’ here in element policy_subjects@http://policypropagation.ales.com/xmlbean

No clue from OES Admin server log. Here is my troubleshooting process:

  1. Ensure that Policy XML has only resources and action elements and comment out roles/policies pieces. The import is success and changes are effected in OES console. Proceed with 2nd step.
  2. Ensure that only resources/actions/roles are present and comment out policies. The import is success and changes are effected in OES console. Proceed with 3rd step.
  3. Ensure that only resources/actions/roles/role mapping policies are present and comment out authorization policies. The import is success and changes are effected in OES console. Proceed with 4th step.
  4. There are around 5 authorization policies some of which are using only roles and only 1 policy is using combination of roles and groups as subjects. So I have comment out the authorization policy containing the combination of roles/groups and placed only the authorization policies containing only roles as subjects. The import is success and changes are effected in OES console. Proceed with 5th step.
  5. Uncomment the previously commented out authorization policy. The import has failed with same error. The subjects order is shown below. Observe that roles are placed prior to groups. I swapped the order and it is groups first and roles later. The import is succesful this time.

             <xb:policy_subjects>
                            <xb:policy_role_entry value=”Role1″ />
                            <xb:policy_role_entry value=”Role2″ />                            
                            <xb:policy_group_entry name=”Group1″
                                directory=”OIDDir” scope=”RootOrg!MyOrg” />
                            <xb:policy_group_entry name=”Group2″
                                directory=”OIDDir” scope=”RootOrg!MyOrg” />                            
                  </xb:policy_subjects>

To summarize the ordering of groups first and roles second as subjects did the trick!!! Simple one but ate lot of my time.

When the policies are imported all the times it deletes the existing data and creates new as per the policy XML. Hope this tip will save lot of time for people writing a huge policy XML by hand.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment: