HOW TO: Configure OIA 11g Remediation Tracking

The oracle documentation has not published the configuration steps to setup the remediation tracking within OIA.
July 15, 2013
OIA-11g

Within the Remediation Tracking document, that mentions is how to use OIA once configured, though no step on how to configure it in the first place. Here's how to configure and use the remediation tracking.

There's two approaches for the remediation, closed-loop and open-looped remediation. The configuration addressed within the oracle documentation only presented the approach as closed-loop remediation only. The difference is that closed-loop is typically integrated within a provisioning server, open-loop remediation typically includes an additional step outside the realms of an electronic data exchange.

This step is open-loop remediation where OIA would be used to revoke access, then you import the differential data within a data file. Start by altering a couple of .xml files

https://technicalconfessions.com/images/postimages/postimages/_202_4_revoke account within OIA.gif

Within the WEB-INF/Scheduling Context.xml

Line 183...

< ref bean="certificationRemediationJob"/>

Line 223...


<ref bean="certificationRemediationTrigger"/>

https://technicalconfessions.com/images/postimages/postimages/_202_5_shown Revoke access within OIA remediation status.gif

Within the WEB-INF/Jobs.xml

Line 942...

<bean id="certificationRemediationTrigger" class="org.springframework.scheduling.quartz.CronTriggerBean">
<property name="jobDetail">
<ref bean="certificationRemediationJob"/>
</property>
<property name="cronExpression">
<value>0 0/2 * * * ?</value>
</property>
</bean>

https://technicalconfessions.com/images/postimages/postimages/_202_6_100 percent OIA.gif

Bounce the WLS server then log into OIA. Then go to the following:
Identity Warehouse -- Resources -- Select Provisioning Mode -- Select Manual

Then go to Administration --> Revoke and Remediation --> Display Remediation Instructions
Then click on the following:

  • Perform Closed loop Remediation
  • Certification Completion Date

https://technicalconfessions.com/images/postimages/postimages/_202_8_revoke specific access within OIA.gif

Note: This step is under the assumption that you already have the resources configured. I created a resource called FAKE along with 3 accounts.


Tracking remediation

There's two ways to use remediation tracking:

  • Account Revoke
  • Attribute Revoke


The Account/Attribute remediation access

https://technicalconfessions.com/images/postimages/postimages/_202_10_attribute level access within OIA.gif

There's two ways to use the account remediation process:

  • Account Maintenance
  • Include 'suspended' within account feed


The account maintenance can be located within the iam.properties file within the conf directory. This can be used against the 'last import' of the account. If the account exceeds the maxstaledays then the account will become suspended. Alternatively, the 'Include suspended within the account feed. This has an integer value of 1 or 0 against the column 'suspended' schema value. Either way, it will determine if the account becomes suspended.

https://technicalconfessions.com/images/postimages/postimages/_202_11_the progress check within OIA.png

Here is the example of my data feed:

"C0000200","Group1,Group2,Group3","FAKE","FAKE",0
"D0000200","Group1,Group2","FAKE","FAKE",0
"C0000300","Group1,Group2,Group3","FAKE","FAKE",0


Revoke access

You're now ready to start testing out the remediation process. The first example is showing that the account is revoked. Make sure you setup the certification and then click 'revoke' on the account only, which subsequently means that the access will be revoked. It is important that the account is revoked because the remediation will monitor the account level, not the entitlements

You can now click on the remediation tracking and see the remediation tracking for that specific configuration.

Here is the example of my data feed of the remediated access:

"C0000200","Group1,Group2,Group3","FAKE","FAKE",1
"D0000200","Group1,Group2","FAKE","FAKE",0
"C0000300","Group1,Group2,Group3","FAKE","FAKE",0

Note: The suspended value is now 1

Here is the example of my data feed of the remediated access:

"C0000200","Group1,Group2,Group3","FAKE","FAKE",0
"D0000200","Group2","FAKE","FAKE",0
"C0000300","Group1,Group2,Group3","FAKE","FAKE",0

Note: You can now see that Group1 has been removed from the data feed

Now import the account again and it will update the 'lastupdated' timestamp on the accounts table. Because of this, it will check any differential when the account maintenance is executed.

About the author

Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.
Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles

Comments

Other Posts

AWS-PHP integration - Email not sent. SMTP Error: Could not authenticate.

phpsmtpaws

February 6, 2020
Created by: Daniel Redfern
AS I was migrating my environment into an S3 environment, I wanted to leverage off the SES services that AWS provide, more specifically, to leverage the off the SMTP functionality by sending an email via PHP
Read More...

SOLUTION: no headers files (.h) found in softwareserial - Arduino

Arduino

February 24, 2019
Created by: Daniel Redfern
The WeMos D1 is a ESP8266 WiFi based board is an extension to the current out-of-the-box library that comes with the Arduino installation. Because of this, you need to import in the libraries as well as acknowledging the specific board. This process is highly confusion with a number of different individuals talking about a number of different ways to integrate.
Read More...

NameID element must be present as part of the Subject in the Response message

ShibbolethSAML

August 7, 2018
Created by: Daniel Redfern
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
Read More...

HOW TO provision AD group membership from OpenIDM

OpenIDMICFAD-connector

June 15, 2018
Created by: Daniel Redfern
For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

ICFIDMOpenIDMOpenICF

November 8, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

org.forgerock.script.exception.ScriptCompilationException: missing ; before statement

IDMsync.confforgerockopenidm

November 8, 2017
Created by: Daniel Redfern
org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statemen

OpenIDMsync.confForgeRock

September 17, 2017
Created by: Daniel Redfern
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

Caused by: org.forgerock.json.resource.BadRequestException: Target does not support attribute groups

OpenIDMForgeRockICFConnector

September 17, 2017
Created by: Daniel Redfern
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

OpenIDMForgeRockICFConnectorAD

September 17, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_g

OpenIDMIDMGoogleGoogle-AppsICFreconciliation

September 12, 2017
Created by: Daniel Redfern
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...