OES Permission Checks in ADF Task Flows

OES Permission Checks in ADF Task Flows Overview This example is used to demonstrate how to integrate OES permissions into an ADF UI. This example describes integrating OES permissions into a new ADF task flow in the Administration Console. Objective The objective of this example is to secure access to an ADF tab component using OES permission checking. Scenario An Oracle customer or system integrator is creating a custom ADF tab and needs to secure access to that tab using OIM's integration with OES. In this scenario the currently logged in user needs to have access to the User Management - Create permission. If the user has access to that permission the ADF tab will be enabled, otherwise it will be disabled. Prerequisites Before starting this tutorial the following software needs to be installed: Oracle Identity Manager 11gR1 Oracle JDeveloper 11gR1 Oracle Database 11gR1 Oracle WebLogic Server 11gR1

From here download the zip file that contains the files that are required for this example. Sample Project The example described here is also included as a sample JDeveloper project. This project can be used as a starting point for other ADF/OES development. Example Files Provided with this example in a JDeveloper project containing the following files: /adf_security /ADF-Security.jpr /deploy /oessecurityexample.jar /model /taskflows /adf-tab-security.adfc_diagram /public_html /SecurityView.jsff /taskflows /adf-tab-security.xml /WEB-INF /adfc-config.xml /faces-config.xml /trinidad-config.xml /web.xml /src /oracle /iam

/examples /adfsecurity /beans /OESSecurityExampleBean.java OIM libraries required for sample project The sample project requires the following OIM jar files. The location of the jar files may need to be updated in Jdeveloper to match your environment. In the left pane, right-click on the ADF-Security project, select Project Properties. In the Libraries and Classpath section, update the path for: iam-platform-utils.jar iam-platform-context.jar iam-platform-authz-service.jar iam-features-identity.zip iam-features-authzpolicydefn.zip Feature Manager The list of Feature, Actions, and Attributes that ship with OIM 11gR1 are enumerated in oracle.iam.authzpolicydefn.api.featuremanagercontants OES Security Example Bean In the example project, the Java class oracle.iam.examples.adfsecurity.beans.oessecurityexamplebean contains methods for performing OES permission checks. // Generic utility method to check if the currently logged // in user has access to an Feature/Action combination private boolean privilegecheck(string featureid, String actionid) { AuthorizationResult authzresult = getauthorizationservice().hasaccess(getloggedinuserkey(), featureid, actionid);

} return authzresult.isallowed(); // Example method to check if the currently logged in user // has access to the Create privilege on the User Management feature // // Refer to oracle.iam.authzpolicydefn.api.featuremanagercontants // for the full set of available OES permissions public boolean ishascreateuserprivilege() { hascreateuserprivilege = privilegecheck(featuremanagerconstants.features.user_mgmt.getid(), UserManagerConstants.Privilege.CREATE.getId()); return hascreateuserprivilege; } Integration with ADF UI The example contains a sample ADF Task Flow that can be expanded on for additional customization. The scope of this example shows how to create an ADF command button for creating a new user, and securing that menu item with an OES Permission Check. This ADF Task Flow uses the OES Security Example Bean to determine if the currently logged in user has access to the Create User privilege in User Management. The following code excerpt is from SecurityView.jsff. The disabled component binding is used to control if the button is disabled or enabled, based on the logged in user s OES permissions. Test this example with two users, one with the Create User privilege, and one without the privilege. See the Oracle Fusion Middleware User s Guide for Oracle Identity Manager Part IV Policy Administration for more information on creating and managed OES permissions. <af:commandbutton id="actioncreate" text="create User"

disabled="#{pageflowscope.oessecuritybean.hascreateuserprivilege}"/> Building and Deploying Project The example file includes a pre-compiled ADF jar file with all the code described above. This file can be found at: adf_security/deploy/oessecurityexample.jar After making a change to the project files, the project is build by right clicking on ADF-Security in the Application Navigator, select Deploy -> oessecurityexample Select Deploy to ADF Library JAR file and click the Next button Review the Deployment Summary and click the Finish button The code change will be built and deployed to adf_security/deploy/oessecurityexample.jar Copy oessecurityexample.jar to [OIM Deploy Location]/oim.ear/admin.war/WEB- INF/lib Add example task flow to Administration console Copy oessecurityexample.jar to [OIM Deploy Location]/oim.ear/admin.war/WEB- INF/lib Edit: [OIM Deploy Location]/oim.ear/admin.war/WEB-INF/idmshell-config.xml In the <taskflows> section, define a new task flow: <taskflow id="_security_example" closeable="false" indialog="false" taskflowid="/taskflows/adf-tab-security.xml#adf-tab-security"> <name>oes Security Example</name> </taskflow>

Next, define a new module with the new task flow <module id="security_example_module"> <name>security Example</name> <default-taskflow-list> <!-- The refid needs to equal the id defined in the taskflow above --> <taskflow refid="_security_example"/> </default-taskflow-list> </module> Finally, add the new module to the Identity Administration section of the <consoles> section <console id="/pages/admin.jspx"> <name>identity Administration</name> <path>/pages/admin.jspx</path> <modules> <module refid="admin"/> <module refid="oes_oim_mgr"/> <module refid="security_example_module"/> </modules> </console> Save the changes to idmshell-config.xml and restart WebLogic. Login to the Identity Administration console to see the new task flow, in the Security Example tab.