Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

How to implement 3000 companies,10 users at least and one sysadmin group?

692827Jul 30 2009 — edited Aug 4 2009
Hi everyone,

We are trying to figure out which is the best way to implement the following in OIM. We have 3000 companies, each company has at least 10 users. Each company has more than one sysAdmin for managing their own users.

We have done the following:
- Created a user custom field in OIM to specify the user's company name.
- Created one sysAdmin group which contains ALL the sysAdmins from all 3000 companies.
- Created a SINGLE organization which has the sysAdmin group as its administrative group.

The sysAdmins and regular users will not be login into OIM web app directly. We are developing a Portal which will allow the admin users to perform OIM tasks by calling multiple OIM APIs in the backend such as searching, modifying a user's profile, approving self registration requests, etc.

The issue I am runining in to right now is that the sysAdmin from company A has to be able to create, delete or modify users within its own company only. With the above scenario the sysAdmin has access to ALL users in OIM since he is part of the sysAdmin group that administers the organization.


So far I have come up with 2 solutions:

1) In our backend code where we call the OIM APIs which will filter out those users that do not belong the the sysAdmin's company.
With this option we run the risk of having some loopholes in our code that will allow a sysAdmin from Company A to be able to search for, delete or modify users from Company B.

2) Create an organization and sysAdmin group for each company
With this option we will have to create 3000 organizations and 3000 groups and then make each group the administrative group for its organization. This is a very cumbersome task, so we may have to develop management frontends to aid staff in maintaining the groups/organizations.
But, more important, there is also an external Oracle database containing company information that we'd like to have synchronized with OIM. For example, if a company gets deleted from the external Oracle database, OIM will have to be aware of that change and delete the organization as well. Is it possible to synchronize external data sources against organizations and groups?

Our questions are:
a) What are the best practices in implementing the client administrator scenario what we described above?
b) If we go for option 1, can we create a rule or an adapter that peforms all the checking instead of doing it in our own code? What are the security risks involved?
c) How can we keep our OIM organizations and administrator groups synchronized with the external Oracle database?

Thank you in advance,
Isabel
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Sep 1 2009
Added on Jul 30 2009
#group, #identity-management, #identity-manager
3 comments
1,042 views