Monday, March 30, 2015

OIM API: Entitlements

Tested On: Oracle Identity Manager 11.1.2.2.0
Description: Given here is code that utilize the OIM Java API to grant, revoke, and update entitlements on a user. Entitlement data is stored in the child process form of a resource. In the test driver, a disconnected resource with multiple columns in the child table (entitlement with attributes) is used as an example.

Child Form with "Type" form field as the Entitlement attribute.

Lookup Definition for Entitlement attribute "Type".

User Entitlements View
User Resource Account View Includes:
Parent data in the Details section
Child data in Laptop_UD_LPTYPE table

Here are some useful OIM tables related to entitlements to look at:
ENT_LIST = List of Entitlement
ENT_ASSIGN = Entitlement Instances assigned to users
UD_* =  Resource account data: Look at the child UD table

References: Java API Reference for Oracle Identity Manager 11.1.2.2
http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/appinstance.htm#OMADM4680


Posted by at
Labels:

4 comments:

  1. shikidaJune 3, 2015 at 9:54 AM

    is it possible to CREATE an entitlement using the API? If so, what's the lookup key value?

    ReplyDelete
    Replies
    1. AnonymousJune 19, 2015 at 10:14 PM

      There are methods in "oracle.iam.provisioning.api.EntitlementService" to create entitlements. I think there might be a bug with the addEntitlement() method. I notice that there is a lookup definition (LKU_KEY) validation check for the field that is set by setLookupValueKey(). Below is sample code I am using to create an entitlement.

      EntitlementService entServ = oimClient.getService(EntitlementService.class);

      Entitlement ent = new Entitlement();
      ent.setDisplayName("GridGuard"); // ENT_DISPLAY_NAME
      ent.setEntitlementCode("21~GridGuard"); // ENT_CODE
      ent.setEntitlementValue("BadgeAccess~GridGuard");// ENT_VALUE
      ent.setItResourceKey(21L); // SVR_KEY
      ent.setObjectKey(21L); // OBJ_KEY
      ent.setFormKey(23L); // SDK_KEY
      ent.setFormFieldKey(74L); // SDC_KEY *Use Key lookup attribute
      ent.setLookupValueKey(1570L); // LKU_KEY *Need setter for LKU

      entServ.addEntitlement(ent); // Call to create entitlement


      When using the add entitlement API, a new record is inserted into the ENT_LIST table. The ENT_LIST.LKV_KEY in the new record would be incorrect though. Also, there is no new entry added to the lookup (LKV) .

      I think the intention of the API is to have the user provide the Lookup Definition Key (LKU_KEY) which there is no setter method for and have OIM generate the LKV_KEY.

      Delete
    2. AnonymousJune 19, 2015 at 10:29 PM

      You can use tcLookupOperationsIntf to add entries to your entitlement lookups and then run the "Entitlement List" and "Catalog Synchronization Job" scheduled jobs.

      Delete
  2. AnonymousNovember 2, 2016 at 5:30 AM

    i need a code which can remove entitlements in bulk

    ReplyDelete

Subscribe to: Post Comments (Atom)