Scribd Logo
Upload

Welcome to Scribd!

  • Lab 06 Access Policy

    Uploaded by

    Sergio Pessoa
    14 views36 pages

    Original Title

    lab-06-access-policy

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views36 pages

    Lab 06 Access Policy

    Uploaded by

    Sergio Pessoa

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 36

    Lab 6: Configure Advanced Provisioning Infrastructure for

    RBAC using Access Policies

    Contents
    Lab 6: Configure Advanced Provisioning Infrastructure for RBAC using Access Policies ........................... 1

    1. Introduction ............................................................................................................................................. 1

    2. Contents.................................................................................................................................................... 2

    2.1. Configure few Important Parameters for Request and RBAC oriented provisioning scenarios2
    2.2 Setup and Verify RBAC oriented provisioning configuration to achieve use case 1.1 ............. 6

    1. Introduction
    This use case will cover the configurations and usage of OIM features to setup the real-life usage infrastructure for using OIM DSEE connector after

    it is installed, to cater to the advanced provisioning requirements for MEDICLAIM (ACME’s acquisition) Intranet user management application,

    which is DSEE. The configurations would be mainly oriented around building Role Based Access Control (Access policy – automated provisioning)

    scenarios for DSEE servers of ACME. Once the infrastructure is deployed, memberships to roles (automatically or by request) will provide users,

    consequent accounts and entitlements in DSEE instances.

    Few more important facts relevant to the context:

     After acquisition MEDICLAIM has been reorganized as a BRANCH of ACME and named as Health Insurance

    Division. Further, this branch is divided in two - Group Insurance and Individual Insurance.
    OIM 11g Workshop - Lab 5

     Contractors (external users) as well as Employees (internal users) work in both these departments, and need to hold

    accounts in the DSEE based intranet repository. They can either use OIM self-service feature to raise requests or send emails

    to the IT administrators who can do it on their behalf. The IT department has a dedicated created a set of team which

    specially works for only handling the helpdesk calls of users of MEDICLAIM (Now ACME’s Health Insurance

    Division), in way affiliating them totally with this organization itself.

     MEDICLAIM (Now ACME’s Health Insurance Division) maintains THREE instances of DSEE application – DSEE

    Server, Johannesburg, DSEE Server, Prague and DSEE Server, Chicago.

    The primary use cases is that an Employee automatically gets DSEE account and roles as basic access

     New Employee is hired. As soon as the user record is created in OIM and only if she is member of Health Insurance

    Division, based on the RBAC configuration (Roles-Access policies) in place, user would get an account plus a basic set of

    roles in DSEE.

    2. Contents

    2.1.Configure few Important Parameters for Request and RBAC oriented provisioning scenarios

    Purpose
    This step describes the procedure to configure a pre-populate adapter on DSEE connector process form. In this procedure you will:

    Update DSEE connector resource object

    Update DSEE connector process definition

    2
    Steps

    Update DSEE connector resource object

    2.1.1. Launch Design console. Folder Resource Management Form Resource Object  For the resource object iPlanet User  Check the

    checkboxes Allow Multiple and Self Request Allowed and click Save icon.

    Allow Multiple flag is required if for the same OIM user we would want to provision more than one instances of resource object

    iPlanet User.

    Self Request Allowed flag is required if for the we would want an OIM user to be able to request for resource object iPlanet User

    using OIM Self service console. Also additional relevant request templates could be configured as explained in lab <todo - provide

    hyperlink>
    OIM 11g Workshop - Lab 5

    Update DSEE connector process definition

    2.1.2. Under Folder Process Management Form Process Definition  For the process definition iPlanet User  Check the checkboxes

    Auto Pre-populate and Auto Save Form and click Save icon.

    Auto Pre-populate flag is required to automatically trigger the pre-populate adapters configured on the process form of resource

    object iPlanet User when provisioning operation is getting executed for the same. If this flag is not checked, Pre-populate button

    has to be clicked to fill in the form on the OIM UI if direct provisioning is taken into practice.

    4
    Auto Save Form flag is required for automatically saving the instance of process form of resource object iPlanet User during a

    provisioning operation. If this flag is not checked, the process form would launch on the OIM UI with pre-populated data (if pre-

    populate adapters and the Auto Pre-populate flag are configured) or blank before provisioning data is finally saved and passed

    forward to the provisioning target.

    Checkpoint
    None.
    OIM 11g Workshop - Lab 5

    2.2 Setup and Verify RBAC oriented provisioning configuration to achieve use case 1.1

    Purpose
    This step descries the procedure to create Roles, Access Policies, Role-Membership Rules. As soon as OIM Users are created, they

    will be assigned automatically with roles based on the role-membership rules evaluation. Roles once assigned will execute access

    policies evaluation triggering actual provisioning of DSEE accounts and roles to these OIM users.

    Steps
    Create OIM Roles

    We will create two roles:

     Role A: Health Information Worker – based on membership Several Divisions dealing with Protected Healthcare

    Information (PHI), these include Human Capital Division, Health Insurance Division, and Psychological Health Division.

    o Grants: DSEE entry, with DSEE Role membership in Health Info Worker

     Role B: HID Worker (Health Insurance Division) - based on membership in the Health Insurance Division.

    o Grants: DSEE entry, with DSEE Role membership in HID Worker

    Each role provides a single entitlement (LDAP Role in both cases).

    Start with the role creation.

    6
    2.2.1. From the Administration tab, select OR change the pull-down and search

    This allows you to review existing roles before ’ing your new roles. The Role - Health Information Worker will

    provide a way to identify those workers with access to Healthcare information and data. Obviously, this role needs to be assigned

    to every worker in the Health Insurance Division, but also can be granted to IT and HR workers.
    OIM 11g Workshop - Lab 5

    Don’t forget to .

    Finally, you should see:

    8
    and are ready to add the second, HID Worker (Health Insurance Division Worker).

    To quickly add more roles, click-back on the search tab, , and you will

    find the button above the results as before.

    2.2.2. Add HID Worker:


    OIM 11g Workshop - Lab 5

    HID Worker will be issued to each and every employee or contractor who works in that division of the company, regardless of job

    title or other attributes.

    Don’t forget to , you should see:

    10
    Build Access Policy

    2.2.3. Next, create access policies click on Administration, Create Access Policy
    OIM 11g Workshop - Lab 5

    We will build an Authorization Policy that assigns the DSEE Role HID Worker to those with the OIM role HID Worker

    12
    2.2.4. Select
    OIM 11g Workshop - Lab 5

    2.2.5. Select iPlanet User, Add and

    2.2.6. Click

    2.2.7. For this parent form, select the Server value as DSEE Server ACME and

    14
    2.2.8. Search for Role clicking on magnifier icon
    OIM 11g Workshop - Lab 5

    2.2.9. Select the role "cn=health insurance division members, ou=people, dc=mydomain, dc=com"

    16
    2.2.10.After Selecting the value, make sure you use the to populate the child form with the selected Role.
    OIM 11g Workshop - Lab 5

    2.2.11.After you have added the Role, click on

    18
    2.2.12.Since we want people removed from the Division,we must revoke their access. Check "Revoke if no longer applies", and then

    2.2.13.No resource need be explicitly denied by this policy. Click on


    OIM 11g Workshop - Lab 5

    2.2.14.Add the OIM Role, "HID Worker" to this access policy.

    2.2.15.Click on

    20
    2.2.16.Select:

    Done! You created the first Access Policy. Proceed to create another one.
    OIM 11g Workshop - Lab 5

    2.2.17.Create Access Policy for Health Information Worker that maps to the DSEE Role Health Information Worker:

    22
    2.2.18.Again, select the same value for Server as before (‘DSEE Server ACME’).
    OIM 11g Workshop - Lab 5

    2.2.19.Search for, and add the DSEE Role cn=health information worker,…, widen your window if it’s difficult to read:

    2.2.20.Select Add:
    24
    2.2.21.Select

    2.2.22.Select again, through the LDAP Group page as no groups need be added.

    2.2.23.Select
    OIM 11g Workshop - Lab 5

    2.2.24.Nothing needs to be explicitly denied by this policy

    2.2.25.Select

    2.2.26.Select and add the Health Information Worker OIM Role as the role to which this Access Policy Applies.

    26
    2.2.27.Review and Create the Access Policy:
    OIM 11g Workshop - Lab 5

    Grant the role manually to test

    2.2.28.Directly assign the OIM Role Health Ins Div worker and Health Information Worker to your test user zDSEEtest:

    28
    2.2.29.Check the resources

    On the resources page, you should see the following detail for the iPlanet User resource :

    Build Role-membership Rule

    2.2.30.In the OIM design console, navigate to Resource Management  Rule Designer

    2.2.31.Type the name isHealthInsDiv and General as the type:


    OIM 11g Workshop - Lab 5

    2.2.32.And click save.

    2.2.33.So, we have our rule, let’s now add an element to make it useful. Click Add element and set attribute to "Organization Name ==

    ACME Health Insurance Division"

    30
    2.2.34.and click save for the element.

    2.2.35.Add rule for both roles

    Assign Membership Rules to Roles

    2.2.36.Select the role"HID Worker" and click on Membership Rules


    OIM 11g Workshop - Lab 5

    2.2.37.Click on Assign Rules

    2.2.38.Select the Rule and click on Assign

    32
    2.2.39.Click Confirm Assign

    2.2.40.Close the window

    2.2.41.Repeat for the second role

    2.2.42.

    Test Rule Evaluation


    OIM 11g Workshop - Lab 5

    2.2.43.Hire a new worker (employee) in the ACME Health Insurance Division.

    This should ‚trip‛ out rule (Organization Name == ACME Health Insurance Division) and enroll this person in the Role

    34
    2.2.44.Click Refresh, the Resource has been provisioned. Click on iPlanet User to check the DSEE Account and Roles provisioned to this

    user.

    2.2.45.Note: In this example, hiring an employee has been done by directly creating an OIM user record. In an enterprise deployment, this

    RBAC configuration will seamlessly work for OIM user records getting created automatically by even an authoritative reconciliation
    OIM 11g Workshop - Lab 5

    process running against a HRMS system, provided the incoming user data has the right value for attributes that are important for auto

    role membership rule evaluation.

    36

    You might also like