The requirement is to add an authorization policy for permissions (containing Roles + LDAP Groups) for a resource against an action. I have exported the policy XML from the OES using policyIX.sh and tried updating the authorization policy. The ATZ policy XML block will be as shown below:
<xb:authorization_policy_entry>
<xb:policy_effect value=”grant”/>
<xb:policy_actions>
<xb:policy_action_entry value=”MyAction”/>
</xb:policy_actions>
<xb:policy_resources>
<xb:policy_resource_entry value=”//resources/MyApp/MyResource”/>
</xb:policy_resources>
<xb:policy_subjects>
<xb:policy_group_entry name=”Group1″ directory=”TMobileDir” scope=”RootOrg!TMobileOrg”/>
<xb:policy_group_entry name=”Group2″ directory=”TMobileDir” scope=”RootOrg!TMobileOrg”/>
<xb:policy_group_entry name=”Group3″ directory=”TMobileDir” scope=”RootOrg!TMobileOrg”/>
<xb:policy_group_entry name=”Group4″ directory=”TMobileDir” scope=”RootOrg!TMobileOrg”/>
…………………
…………………
<xb:policy_role_entry value=”Role1″/>
<xb:policy_role_entry value=”Role2″/>
…………………
…………………
</xb:policy_subjects>
</xb:authorization_policy_entry>
Please note that Groups should be placed first and then Roles in the Policy Subjects.
I have tried importing XML using policyIX.sh and resulted with below error.
Importing roles …
all roles finished
Importing policies …
Policy Propagation is terminated
failed to create application RootOrg!MyOrg!MyApp for
failed to create authorization policy: Policy Text = grant ( MyAction, //resources/MyApp/MyResource, [GROUP:RootOrg!MyOrg:LDAPDir:Group1, GROUP:RootOrg!MyOrg:LDAPDir:Group2, GROUP:RootOrg!MyOrg:LDAPDir:Group3, ………………………………………………………
………………………………………………………
………………………………………………………
, ROLE:Role1, ROLE:Role2, ROLE:Role3,
………………………………………………………
………………………………………………………
………………………………………………………
ROLE:Role40]) if true; for
The subject field in a rule cannot be longer than 2000 characters.
It is perhaps clear from the error that max size limit is 2000 characters for policy subject value. So I have calculated the characters using a tool and found it is around 2400 characters.
So the next attempt is to include just the roles in policy Subjects and imported the policy and is through. So I have tried manually adding the Groups to the policy subjects using OES Admin console which resulted in below error.
The next attempt is to create a new authorization policy with just adding Groups in Policy Subjects and then the import is succesful. So totally I have created two authorization policies for same set of actions and resources but seperated the policy subjects Roles and Groups into each other.
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com