Mapping Roles between Oracle BPM and Oracle IDM

8/2/2019 Mapping Roles between Oracle BPM and Oracle IDM

1/12

MAPPING BPM ROLES INTO IDM (ORACLE IDENTITY MANAGEMENT)

Andre Almar http://www.andrealmar.com

Hello people, I`m here again to show you how to integrate/map the roles of Oracle

BPM into Oracle IDM (Identity Management).

First, you have to understand some concepts.

As the official documentation says, Oracle Fusion Middleware allows using differenttypes of credential and policy stores in a WebLogic domain. Domains can use stores

based on an XML file or on different types of LDAP providers. When a domain uses

an LDAP store, all policy and credential data is kept and maintained in a centralized

store. However, when using XML policy stores, the changes made on Managed

Servers are not propagated to the Administration Server unless they use the SAME

domain home.

By default Oracle WebLogic Server domains use an XML file for the policy store. The

following sections describe the steps required to change the default store to Oracle

Internet Directory LDAP for credentials or policies.

More information on the official documentation:

http://download.oracle.com/docs/cd/E17904_01/core.1111/e12036/oam.htm#B

ABFGBED

Before creating the LDAP Authenticator, first make a backup of this following files:

ORACLE_BASE/admin//aserver//config/config.xmlORACLE_BASE/admin//aserver//config/fmwconfig/jps-config.xmlORACLE_BASE/admin//aserver//config/fmwconfig/system-jazn-data.xml

Backup the boot.properties too.

Log into Weblogic Console and go to Security Realm/myrealm


2/12



Go to Providers tab.

Note thatDefaultAuthenticatorexists here.

Click NEW to add a new provider.

Enter a name for your new provider, for example OIDAuthenticator or OIDAuth.

On Provider Type, choose OracleInternetDirectoryAuthenticator


3/12



It will appear on the provider screen.

Click on the newly created provider and set the control flag to SUFFICIENT.

Go to Provider Specific tab to enter the details for the LDAP server.

For example in my environment:


4/12



Follow this table of Official Documentation:

IMPORTANT: Check this BOX

Click SAVE to Activate the Changes.

Now we have to re-order the Providers.

Go to Security Realms/myrealm/Providers TAB

And REORDER the provider as shown in the screen above:

Be sure that DefaultAuthenticator has his Control Flag set to SUFFICIENT.


5/12



Now, RESTART the Administration Server and the Managed Servers of your SOA

environment.

Go to Security Realms/myrealm/Roles and Policies TAB.

Expand Global Roles and then expand Roles.

You will see a list of Global Roles displayed on the screen.

On the column Role Policy ofAdmin role, click on View Role Conditions.

In this screen you will associate one condition for this Admin role.

For example, in your LDAP you have a group called SOAAdministrators and an user

assigned to this group. Every user that is assigned to this group will be an

Administrator of my soa_domain.

Now, I will create a Role Condition:

Click ADD CONDITIONS

On Predicate List choose Group and click NEXT.


6/12



On GROUP ARGUMENT NAME put the name of your SOAAdministrator group and

click ADD.

After that, click FINISH.

You will see the newly group added to the Admin Role Conditions

If youre having trouble with this part, I suggest you to create the SOAAdministrator

group and the User assigned to this group through and ldif file.Ive faced some problems when doing this group and user creation through ODSM

(Oracle Directory Services Manager).

To create this group and the user just create 2 (TWO) ldif files:

Admin_group.ldifwhich contains the following:

dn: cn=SOAAdministrators, cn=Groups, dc=andrealmar, dc=com (obviously fill this

with your correspondent DC configuration)

displayname: SOAAdministrators

objectclass: topobjectclass: groupOfUniqueNames

objectclass: orclGroup

uniquemember: cn=weblogic_soa,cn=users, dc=andrealmar, dc=com (obviously fill

this with your correspondent DC configuration)

cn: SOAAdministrators

description: Administrators Group for the SOA Domain


7/12



admin_user.ldifwhich contains the following:

dn: cn=weblogic_soa, cn=Users, dc=andrealmar,dc=com

orclsamaccountname: weblogic_soa

givenname: weblogic_soa

sn: weblogic_soauserpassword: welcome1

mail: weblogic_soa

objectclass: top

objectclass: person

objectclass: organizationalPerson

objectclass: inetorgperson

objectclass: orcluser

objectclass: orcluserV2

objectclass: inetorgperson

uid: weblogic_soa

cn: weblogic_soadescription: Admin User for the SOA Domain

So import this 2 Ldif files via LDAP Browser. Ive used the GAWOR LDAP BROWSER.

User shown on GAWOR LDAP BROWSER

Group shown on GAWOR LDAP BROWSER

Group shown on ODSM (Directory services

Manager)


8/12



To see if the configuration works, logout and try to login with the newly user

weblogic_soa which is now an Administrator of soa_domain.

Now, go to http://yourserver:7001/em and expand the Weblogic

Domain/soa_domain


9/12



Go to Security / Application Roles

On Select Application Stripe to Search, select OracleBPMProcessRolesApp as shown

below:

Click on

All your BPM roles will appear, my application doesnt have any application

deployed so the only role that appears is BPMProcessAdmin.


10/12



To assign an OID (Oracle Internet Directory) user to this role just click on the role

name.

You can assign a Group or a User. I decide to assign an user (weblogic_soa),

previously created in this tutorial, to this role.


11/12



Note, that weblogic_soa now appears on the Users table.


12/12



Log into workspace (http://yourserver:8001/bpm/workspace) and see if your user

has the correct BPM Role assigned to him.

Mapping Roles between Oracle BPM and Oracle IDM

Documents

Transcript of Mapping Roles between Oracle BPM and Oracle IDM