Identity Management with Oracle OIM 11g: Self Service User Profile Modifications

As we are completing our configuration for deployment, we noticed the the attributes that a person can modify on their profile by default is more than we wanted to allow. For example since we use our HR system as our system of record for names, we did not want a person being able to change their name through OIM. The OOTB policy allows all users to edit their Name, Email Address, and Display Names. All of which we did not want them to be able to do.

Since this is an OOTB authorization policy, it can't be edited in the OIM UI nor overridden. By creating another policy we were able to add attributes to edit, but not disallow those already permitted. In looking around we located where the OOTB policies are defined and the ant scripts that load the policies into the embedded OES server. By commenting out the unwanted attributes and running the appropriate ant target we were able to remove the ability to self modify the attributes.

This is not a supported solution and you will need to be careful each time you patch the server to ensure the policy is updated correctly. (FYI: We have filed an enhancement request to have this changed to be the default policy.)

With that caution here goes:

In the ORACLE_HOME/server/seed_data/Seed/OESPolicies directory, you can locate the SelfServiceUserManagementPolicies.xml file. Make a copy of this for posterity and open it for editing in your favorite tool.

The offending section is right at the top, simply comment out the attributes you don't want to be editable.

Next, setup your environment as you would for patching by exporting the WL_HOME, ANT_HOME, OIM_ORACLE_HOME, and ORACLE_HOME paths.

In the ORACLE_HOME/server/bin directory make a copy of the weblogic.profile and patch_weblogic.sh files. Edit your copies and change the profile to that of your copy and the ant target to update-oes-ootb-polices. I had to add an additional entry to the profile for the OIM DB password in order to get it to work, hence the copy. So in your profile copy add the entry OIM.DBPassword=. Run the script, it does take some time to update the OES policies. Once done, you can go into the UI and verify that it removed those attributes.

6 comments:

Unknown said...: Hi ,

Could you provide me the Enhancement Request ID that you logged with Oracle.; February 2, 2011 at 10:01 PM
Eric Fisher said...: Santhana,

Certainly, it is filed as Bug# 10415853.

Eric; February 2, 2011 at 10:20 PM
Anonymous said...: Thanks for providing the above. We're running into the same issue.; May 24, 2011 at 11:06 AM
free2k said...: Hi,

after running the patch, i get an error:

BUILD FAILED:
/setup/deploy-files/setup.xml:16: The 'input' type doesn't support the nested "handler" element.; July 2, 2012 at 5:06 AM
DJROS said...: Hi,
Did you find out how to achieve this with OIM 11g R2? I cannot find any xml files any more with R2.
Thanks.
Didier.; March 15, 2013 at 1:46 AM
DJROS said...: Well, I actually found the answer: use the customization UI to write protect (or hide) the attributes.; March 15, 2013 at 1:57 AM

Thursday, January 27, 2011

Self Service User Profile Modifications

6 comments: