This appendix describes Oracle Privileged Account Manager's RESTful interface, including the specific APIs that are exposed through this interface.
This appendix includes the following sections:
While Oracle Privileged Account Manager can be consumed through several client interfaces, its fundamental access mechanism or layer is encapsulated in its RESTful interfaces.
Note:
For information about using Oracle Privileged Account Manager's web-based Console or command line tool to perform tasks described in this appendix, refer to Chapter 4, "Starting and Using the Oracle Privileged Account Manager Console" or Appendix A, "Working with the Command Line Tool."
All interactions with Oracle Privileged Account Manager's server that are being used by external parties, such as a non-Oracle Privileged Account Manager server, are exposed through RESTful interfaces. All externally visible Oracle Privileged Account Manager resources are modeled by URIs, while standard HTTP operations are mapped to relevant Oracle Privileged Account Manager operations on those resources.
Note:
The information provided in this appendix is essentially the same whether you are using Oracle Privileged Account Manager on WebLogic or on IBM WebSphere; however, there are a few minor differences.
For more information, refer to "Differences When Using the Oracle Privileged Account Manager Command Line Tool and REST Interfaces on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management.
This section describes the Get Server State API.
Use this API to retrieve information about the status of a server.
|
URI |
https://opam_server_host:opam_ssl_port/opam/ |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Returns on Success |
Status code 200 and JSON representation of the Server State Resource |
Example B-1 Example JSON Output of Server Status
{
"RequestorGroups" : [
"OPAM_APPLICATION_CONFIGURATOR",
"OPAM_SECURITY_ADMIN",
"OPAM_USER_MANAGER",
"OPAM_SECURITY_AUDITOR"
],
"ServerState" : {
"Status" : "Oracle Privileged Account Manager Server is up!",
"StatusCode" : 0
},
"Requestor" : "master_user"
"version":"11.1.2.2.0"
}
Where:
RequestorGroups are groups assigned to the user who is making the request.
Requestor is the user who is making the request.
StatusCode indicates whether the server is working properly.
Returns a zero (0) if the server is working properly.
Returns a non-zero integral value if the server has encountered some issue.
Status is an informative message about the state of the server.
version is the Oracle Privileged Account Manager version.
This section describes the following configuration resource APIs:
The APIs described in this section include:
Use this API to retrieve a configuration object for Oracle Privileged Account Manager.
Note:
You must be an administrator with the User Manager Admin Role, the Security Administrator Admin Role, or the Application Configurator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/config/configid |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Returns on Success |
200 and JSON representation of a |
https://opam_server_host:opam_ssl_port/opam/config/globalconfig
Example B-2 Sample JSON Representation of a config Object
{
"config":{
"configUID":"globalconfig",
"configType":"config_globalconfig",
"tdemode":[
"true"
],
"policyenforcerinterval":[
"3600"
],
"passwordcyclerinterval":[
"3600"
]
}
}
Where:
configUID is a unique identifier for the config object.
configType is the type of config object.
policyenforcerinterval is the interval (in seconds) in which Oracle Privileged Account Manager checks accounts and then automatically checks-in the accounts that have exceeded the expiration time defined in the Usage Policy.
passwordcyclerinterval is the interval (in seconds) in which Oracle Privileged Account Manager checks and then resets the password for any accounts that have exceeded the maximum password age defined in the Password Policy.
tdemode is a flag to request that Oracle Privileged Account Manager use TDE or non-TDE mode.
Use this API to modify a configuration object for Oracle Privileged Account Manager.
Note:
You must be an administrator with the Application Configurator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/config/configid |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation of Modification |
|
Returns on Success |
Status code 200 |
Example B-3 Example JSON Output of Modification
{
"modifications":[
{
"modification":{
"tdemode":[
"false"
]
}
}
]
}
Where:
modifications are an array of modification JSON objects.
modification is a JSON object representing the modification of a single configuration object.
tdemode is a flag to request that Oracle Privileged Account Manager use TDE or non-TDE mode.
The APIs described in this section include:
Use this API to get a configuration object for Oracle Privileged Session Manager.
|
URI |
https://opam_server_host:opam_ssl_port/opam/config/sessionmgrconfig |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Returns on Success |
Status code 200 and JSON representation of a Session Manager |
Note:
You must be an administrator with the User Manager, the Security Administrator, or the Application Configurator Admin Role to use this API.
You cannot run two instances of Oracle Privileged Session Manager on the same machine.
Example B-4 Sample JSON Representation of Session Manager Config
{"config": {
"updateinterval": 60,
"pub-key": "ssh-dss AAAAB3NzaC1kc3MAAACBAN6279V8ozaK\/s6x9ihSyIljEs3EziPtP0yN9dgeFq7VkP5vtj1OBbYDk4\
/MbbcILsx9Ko+qDury2YYuTK\/sn+M+3LURQE2zUJN1FVZ346d+smIVmHfqM58zGZPnjeFr3AFRE7RE0V\/Tt\
/D8Unjacw84aLzSBU3pcThb+bSpV7LnAAAAFQCIDIlCv4EB6T4U5uI6QfFdBxOAUwAAAIAQEJIKlT6Oiwzh+63XilA34ivbMKc
Pqk7oi3FChKZS+NShnt1nR1vd5cIDt8UWy+WcwYWT\/\/hfafRKxhC9OHFXKAlI0R0WF\
/lYRBcfTUa9AOEu8j7Olqiqxm34P1otlS8aHCkUjfY1\
/Vg8eJkHaYE5U1omd4Y7skroVxo9K7bDvwAAAIBzHcvPMCnJARKtWFxtT8UkywXowd3saeZudRmEUsirZbMl08HnM1CV952n
V3aeAFY+8dnQ9HTFiMZt9cjpfMmWXl8LniACAuch+Ex\
/QSV7M5u9RBvCo+iXATSjypK6UMzmoMWR6znnLYPdUDmiELtFx8kYt3RgpsdnfoycCmJK3Q==","prv-key":
"MIIBugIBAAKBgQDetu\/VfKM2iv7OsfYoUsiJYxLNxM4j7T9MjfXYHhau1ZD+b7Y9
\nTgW2A5OPzG23CC7MfSqPqg7q8tmGLkyv7J\/jPty1EUBNs1CTdRVWd+OnfrJiFZh3\n6jOfMxmT543ha9wBURO0RNFf07fw\
/FJ42nMPOGi80gVN6XE4W\/m0qVey5wIVAIgM\niUK\
/gQHpPhTm4jpB8V0HE4BTAoGAEBCSCpU+josM4fut14pQN+Ir2zCnD6pO6Itx
\nQoSmUvjUoZ7dZ0db3eXCA7fFFsvlnMGFk\/\/4X2n0SsYQvThxVygJSNEdFhf5WEQX
\nH01GvQDhLvI+zpaoqsZt+D9aLZUvGhwpFI32Nf1YPHiZB2mBOVNaJneGO7JK6Fca
\nPSu2w78CgYBzHcvPMCnJARKtWFxtT8UkywXowd3saeZudRmEUsirZbMl08HnM1CV
\n952nV3aeAFY+8dnQ9HTFiMZt9cjpfMmWXl8LniACAuch+Ex\/QSV7M5u9RBvCo+iX
\nATSjypK6UMzmoMWR6znnLYPdUDmiELtFx8kYt3RgpsdnfoycCmJK3QIUHexDoyJl
\nS6MlOvKqzYiIJwrEalw=",
"SSH": {
"opamListenPort": 1222,
"sessionchkoutinstructions": "ssh -p <port> <opamuser>:<targetname>:<accountname>@<sessionmgrhost>
\n Use opam password on password prompt"
},
"configUID": "sessionmgrconfig",
"configType": "config_sessionmgrconfig"
"maxrecordsize" : 10240
}}
Where:
configUID is a unique identifier for the config object.
configType is the type of config object.
updateinterval is the interval (in seconds) in which the Oracle Privileged Session Manager server checks all of the checked-out sessions and updates their transcripts.
opamserverurls is an array of Oracle Privileged Account Manager server URLs to which Oracle Privileged Session Manager can connect.
pub-key is the Oracle Privileged Session Manager server's public key.
maxrecordsize is the maximum recording size that is allowed per session (in KB). When this quota is reached, the session is automatically terminated.
prv-key is the Oracle Privileged Session Manager server's private key.
Protocol-specific attributes include:
opamListenPort is the listener port for the protocol.
sessionchkoutinstructions is the session checkout instructions.
Use this API to update a configuration object for Oracle Privileged Session Manager.
|
URI |
https://opam_server_host:opam_ssl_port/opam/config/sessionmgrconfig |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation of Modification |
|
Returns on Success |
Status code 200 |
Note:
You must be an administrator with the Application Configurator Admin Role to use this API.
Example B-5 Sample JSON Modification
{
"modifications": [
{
"modification": {
"updateinterval": 300
}
},
{
"modification": {
"opamserverurls": [
"https://localhost:7002/opam"
]
}
},
{
"modification": {
"SSH": {
"opamListenPort": 1222
}
}
},
{
"modification": {
"SSH": {"sessionchkoutinstructions":"ssh -p <port>
<opamuser>:<targetname>:<accountname>@<sessionmgrhost> \n Use opam password on password prompt"
}
}
}
]
}
Note:
You can update all of these attributes, except
configUID is a unique identifier for the config object.
configType is the type of config object.
For the other attribute definitions, refer to Section B.3.2.1, "Get Configuration Resource."
This section describes the APIs you use when working with Oracle Privileged Account Manager policies.
The APIs described in this section include:
Use this API to search for policies. This API is a search, using one or more of the following parameters:
policystatus
policyname
All of the parameters are optional.
|
URI |
https://opam_server_host:opam_ssl_port/opam/policy/search?param1=val1¶m2=val2 |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of policies |
Example B-6 Sample JSON Representation of Policies
{
"usagepolicies":[
{
"policyname":"Default Usage Policy",
"policyid":"usagepolicy1",
"policystatus":"active",
}
],
"passwordpolicies":[
{
"policyname":"Default Password Policy",
"policyid":"passwordpolicy2",
"policystatus":"active",
"globaldefault":"y"
}
]
}
Where:
usagepolicies are an array of Usage Policies.
passwordpolicies are an array of Password Policies.
policyname is the policy name.
policyid is the policy's unique identifier.
policystatus is the policy status, where acceptable values are active or disabled.
Use this API to get the Default Usage Policy and Default Password Policy.
|
URI |
https://opam_server_host:opam_ssl_port/opam/policy/default |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of policies |
Example B-7 Sample JSON Representation of Policies
{
"usagepolicies":[
{
"policyname":"Default Usage Policy",
"policyid":"usagepolicy1",
"policystatus":"active"
}
],
"passwordpolicies":[
{
"policyname":"Default Password Policy",
"policyid":"passwordpolicy2",
"policystatus":"active"
}
]
}
Where:
usagepolicies is an array of Usage Policies.
passwordpolicies is an array of Password Policies.
policyname is the policy name.
policyid is the policy's unique identifier.
policystatus is the policy status, where acceptable values are active or disabled.
This attribute only returns the default policies, Default Usage Policy and Default Password Policy.
The APIs described in this section include:
Use this API to retrieve a Password Policy.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/passwordpolicy/{policyid} |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of Password Policy |
Example B-8 Sample JSON Representation of Password Policy
{
"passwordpolicy":{
"policyid":"passwordpolicy2",
"policystatus":"active",
"policyname":"Default Password Policy",
"description":"Default Password Policy",
"globaldefault":"y",
"passwordchangedurationunit":"days",
"passwordchangedurationvalue":30,
"passwordhistorydays":30
"changeoncheckin":"y",
"changeoncheckout":"y",
"passwordcharsmin":8,
"passwordcharsmax":8,
"passwordalphabeticmin":1,
"passwordnumericmin":1,
"passwordalphanumericmin":2,
"passworduniquemin":1,
"passworduppercasemin":1,
"passwordlowercasemin":1,
"passwordspecialmin":0,
"passwordspecialmax":0,
"passwordrepeatedmin":0,
"passwordrepeatedmax":1,
"startingchar":"n",
"isaccountnameallowed":"n",
"requiredchars":[
"a",
"h",
"j"
],
"allowedchars":[
"b",
"t",
"y",
"p",
"u",
"r",
"o",
"k",
"1",
"2",
"=",
"M",
"a",
"h",
"j"
],
"disalloweddchars":[
"7",
"8",
"l"
],
}
}
Where:
passwordpolicy is a passwordpolicy JSON object.
policyid is the policy's unique identifier.
policystatus is the policy's status, where acceptable values are active or disabled.
policyname is the policy name.
description is a description of the policy.
globaldefault indicates whether the policy is a global default or not.
passwordchangedurationunit and passwordchangedurationvalue determine the interval after which the account password must be changed. Where passwordchangedurationunit can have the values: days, hours, or minutes.
passwordhistorydays indicates how many days to keep the password history.
changeoncheckin indicates whether to change the password on check-in. (Valid values are y and n.)
changeoncheckout indicates whether to change the password on checkout. (Valid values are y and n.)
startingchar indicates the character with which the password should begin.
isaccountnameallowed indicates whether the password can be the same as the account name.
requiredchars, allowedchars, disallowedchars are characters that are required, allowed, and disallowed respectively.
passwordcharsmin is the minimum number of characters required in the password.
passwordcharsmax is the maximum number of characters allowed in the password.
passwordalphabeticmin is the minimum number of alphabetic characters required in the password.
passwordnumericmin is the minimum number of numeric characters required in the password.
passwordalphanumericmin is the minimum number of alphanumeric characters required in the password.
passworduniquemin is the minimum number of unique characters required in the password.
passworduppercasemin is the minimum number of uppercase characters required in the password.
passwordlowercasemin is the minimum number of lowercase characters required in the password.
passwordspecialmin is the minimum number of special characters required in the password.
passwordspecialmax is the maximum number of special characters allowed in the password.
passwordrepeatedmin is the minimum number of repeated characters required in the password.
passwordrepeatedmax is the maximum number of repeated characters allowed in the password.
Use this API to update a Usage Policy. You can update all of the attributes, except policyid, and you can update multiple attributes at a time.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/passwordpolicy/{policyid} |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation for Password Policy modification |
|
Returns on Success |
Status code 200 |
Example B-9 Sample JSON Representation of Password Policy Modification
{
"modifications":[
{
"modification":{
"disalloweddchars":[
"4",
"6"
]
}
},
{
"modification":{
"passwordalphabeticmin":2
}
}
]
}
Where:
modifications is an array of modification JSON objects.
modification is a JSON object representing a single attribute.
Use this API to create a Password Policy.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/passwordpolicy |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation for Password Policy creation |
|
Returns on Success |
Status code 201 |
Example B-10 Sample JSON Representation for Password Policy Creation
{
"passwordpolicy":{
"policystatus":"active",
"policyname":"Default Password Policy",
"description":"Default Password Policy",
"passwordchangedurationunit":"days",
"passwordchangedurationvalue":30,
"passwordhistorydays":30
"changeoncheckin":"y",
"changeoncheckout":"y",
"passwordcharsmin":8,
"passwordcharsmax":8,
"passwordalphabeticmin":1,
"passwordnumericmin":1,
"passwordalphanumericmin":2,
"passworduniquemin":1,
"passworduppercasemin":1,
"passwordlowercasemin":1,
"passwordspecialmin":0,
"passwordspecialmax":0,
"passwordrepeatedmin":0,
"passwordrepeatedmax":1,
"startingchar":"n",
"isaccountnameallowed":"n",
"requiredchars":[
"a",
"h",
"j"
],
"allowedchars":[
"b",
"t",
"y",
"p",
"u",
"r",
"o",
"k",
"1",
"2",
"=",
"M",
"a",
"h",
"j"
],
"disalloweddchars":[
"7",
"8",
"l"
]
}
}
All attributes are optional, except policyname. For attribute definitions refer to Section B.4.3.1, "Retrieve a Password Policy."
Use this API to retrieve a list of accounts for a Password Policy.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/passwordpolicy/{policyid}/accounts |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of accounts |
Example B-11 Sample JSON Representation of Accounts
{
"accounts":[
{
"account":{
"accountUID":"5bb2c74e1655487c92ecefd5b5270e95",
"accountName":"dsperson1",
"targetID":"3ba06e568166493384f86aa5cc7152f1",
"targetName":"sunds_6.3_target",
"targetDomain":"needtofix",
"targetType":"ldap"
}
},
{
"account":{
"account":{
"accountUID":"c67f93d7a7e44844b24aa43d4cd236e9",
"accountName":"person2",
"targetID":"75a23e9f30ba456b961a1f5d327e67ef",
"targetName":"ldap1_target",
"targetDomain":"needtofix",
"targetType":"ldap"
}
}
}
]
}
For attribute definitions, refer to Section B.5, "Target Resource" and Section B.6, "Account Resource."
Use this API to delete a Password Policy.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/passwordpolicy/{policyid} |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status 200 |
The APIs described in this section include:
Use this API to retrieve a Usage Policy.
|
URI |
https://opam_server_host:opam_ssl_port/opam/usagepolicy/{policyid} |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of Usage Policy |
Example B-12 Sample JSON Representation of Usage Policy
{
"usagepolicy":{
"policyid":"usagepolicy1",
"policystatus":"active",
"policyname":"Default Usage Policy",
"description":"Default Usage Policy",
"globaldefault":"y",
"dateorduration":"duration",
"expireddateminutesfromcheckout":7200,
"expireddate":"08\/08\/2088",
"expireddatehour":0,
"expireddateminutes":0,
"expireddateamorpm":"am",
"timezone":"America\/Los_Angeles",
"usagedates":[
{
"day":"saturday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"wednesday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"sunday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"friday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"tuesday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"thursday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"monday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
}
],
"allowcheckouttype": "all"
}
}
Where:
usagepolicy is a usagepolicy JSON object.
policyid is the Usage Policy's unique identifier.
policystatus is set to active or disabled.
policyname is a name of the policy
description is a description of the policy.
globaldefault indicates whether the policy is the global default policy or not.
dateorduration indicates how the expiration time is calculated.
If set to date, then expireddate, expireddatehour, expireddateminutes, and expireddateamorpm are used.
If set to duration, then expireddateminutesfromcheckout is used.
Where:
expireddate is the date of expiration. The format is MM/dd/yyyy.
expireddatehour.hour are integer values between 0 and 12.
expireddateminutes.minutes are integer values between 0 and 60.
expireddateamorpm is am or pm.
expireddateminutesfromcheckout are minutes from checkout.
timezone is a time zone for the Usage Policy.
usagedates is an array, where each value represents the check out time for individual days.
day is a day of the week, where acceptable values are sunday, monday, tuesday, wednesday, thursday, friday, and saturday.
Use the following attributes to indicate a range from and to:
fromhour is an integer value between 0 and 12.
fromminutes is a n integer value between 0 and 60.
fromamorpm is am or pm.
tohour is a n integer value between 0 and 12.
tominutes is a n integer value between 0 and 60.
toamorpm is am or pm.
allowcheckoutype indicates which type of checkout is permitted for the policy.
all: Choose this option to allow users to check out passwords and sessions.
password (default): Choose this option to allow users to only check out passwords.
session: Choose this option to allow users to only check out sessions.
Use this API to update a Usage Policy. You can update all attributes, except policyid, and you can update multiple attributes at a time.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/usagepolicy/{policyid} |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation of Usage Policy modification |
|
Returns on Success |
Status code 200 |
Example B-13 Sample JSON Representation of Usage Policy Modification
{
"modifications":[
{
"modification":{
"usagedates":[
{
"day":"saturday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"wednesday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
}
]
}
},
{
"modification":{
"expireddatehour":2
}
}
]
}
Where:
modifications are an array of modification JSON objects.
modification is a JSON object representing a single attribute.
Use this API to create a Usage Policy.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/usagepolicy |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation for Usage Policy creation |
|
Returns on Success |
Status code 201 |
Example B-14 Sample JSON Representation for Usage Policy Creation
{
"usagepolicy":{
"policystatus":"active",
"policyname":"Default Usage Policy",
"description":"Default Usage Policy",
"dateorduration":"duration",
"expireddateminutesfromcheckout":7200,
"expireddate":"08\/08\/2088",
"expireddatehour":0,
"expireddateminutes":0,
"expireddateamorpm":"am",
"timezone":"America\/Los_Angeles",
"usagedates":[
{
"day":"saturday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"wednesday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"sunday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"friday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"tuesday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"thursday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
},
{
"day":"monday",
"fromhour":"12",
"fromminutes":"0",
"fromamorpm":"am",
"tohour":"12",
"tominutes":"0",
"toamorpm":"am"
}
"allowcheckouttype": "all"
]
}
}
For attribute definitions, refer to Section B.4.4.1, "Retrieve a Usage Policy."
Use this API to retrieve a list of grants for a Usage Policy.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/usagepolicy/{policyid}/grantees |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of grants |
Example B-15 Sample JSON Representation of Grants
{
"grantees":[
{
"grantee":{
"accountUID":"16d245784350469cbe25229a7c45af22",
"accountName":"oidperson10",
"targetID":"75a23e9f30ba456b961a1f5d327e67ef",
"targetName":"ldap1_target",
"targetDomain":"needtofix",
"targetType":"ldap",
"grantee":"CrossDomainConnectors",
"grantType":"role"
}
},
{
"grantee":{
"accountUID":"3a7f105a1e45407284cd887f8774700d",
"accountName":"openLDAPperson2",
"targetID":"dd9d7a31b39348c79eb23ac46f04d40d",
"targetName":"openldap_2.3_target",
"targetDomain":"needtofix",
"targetType":"ldap",
"grantee":"opamuser2",
"grantType":"user"
}
}
]
}
For attribute definitions, refer to Section B.5, "Target Resource" and Section B.6, "Account Resource."
Use this API to delete a Usage Policy.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/usagepolicy/{policyid} |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status 200 |
The APIs described in this section include:
Use this API to retrieve a list of the attributes that are associated with all of the target types.
You can use the list of supported target types, along with these attributes, to create the JSON object required to add a target. Refer to Section B.5.2, "Add a Target" for more information.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target/attributes |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Returns on Success |
Status code 200 and the JSON representation of target types, along with the attributes associated with them. |
https://opam_server_host:opam_ssl_port/opam/target/attributes
Example B-16 JSON Output of Supported Target Types with Attributes
{
"TargetAttributes":[
{
"TargetType":"ldap",
"DisplayName":"ldap",
"BasicAttributes":[
{
"name":"targetName",
"type":"string",
"description":"",
"label":"Target Name",
"mask":"false",
"array":"false",
"required":"true"
},
{
"name":"description",
"type":"string",
"description":"",
"label":"Description",
"mask":"false",
"array":"false",
"required":"false"
},
{
"name":"organization",
"type":"string",
"description":"",
"label":"Organization",
"mask":"false",
"array":"false",
"required":"false"
},
{
"name":"domain",
"type":"string",
"description":"",
"label":"Domain",
"mask":"false",
"array":"false",
"required":"true"
},
{
"name":"host",
"type":"string",
"description":"",
"label":"Host",
"mask":"false",
"array":"false",
"required":"true"
},
{
"name":"port",
"type":"int",
"description":"TCP/IP port number used to communicate with the LDAP server.",
"label":"TCP Port",
"default":"",
"mask":"false",
"array":"false",
"required":"true"
},
{
"name":"ssl",
"type":"boolean",
"description":"Select the check box to connect to the LDAP server using SSL.",
"label":"SSL",
"default":"false",
"mask":"false",
"array":"false",
"required":"true"
},
{
"name":"principal",
"type":"string",
"description":"The distinguished name with which to authenticate
to the LDAP server.",
"label":"Principal",
"default":"",
"mask":"false",
"array":"false",
"required":"true"
},
{
"name":"credentials",
"type":"string",
"description":"Password for the principal.",
"label":"Password",
"default":"",
"mask":"true",
"array":"false",
"required":"true"
},
{
"name":"baseContexts",
"type":"string",
"description":"One or more starting points in the LDAP tree that will be used
when searching the tree. Searches are performed when discovering users from
the LDAP server or when looking for the groups of which a user is a member.",
"label":"Base Contexts",
"default":[
],
"mask":"false",
"array":"true",
"required":"true"
},
{
"name":"accountNameAttribute",
"type":"string",
"description":"Attribute which holds the account's user name.",
"label":"Account User Name Attribute",
"default":"uid",
"mask":"false",
"array":"false",
"required":"true"
}
],
"AdvancedAttributes":[
{
"name":"uidAttribute",
"type":"string",
"description":"The name of the LDAP attribute which is mapped
to the Uid attribute.",
"label":"Uid Attribute",
"default":"uid",
"mask":"false",
"array":"false",
"required":"false"
},
{
"name":"accountSearchFilter",
"type":"string",
"description":"An optional LDAP filter to control which accounts are returned
from the LDAP resource. If no filter is specified, only accounts that include
all specified object classes are returned.",
"label":"LDAP Filter for Retrieving Accounts",
"default":"(uid=*)",
"mask":"false",
"array":"false",
"required":"false"
},
{
"name":"passwordAttribute",
"type":"string",
"description":"The name of the LDAP attribute which holds the password.
When changing an user's password, the new password is set to this attribute.",
"label":"Password Attribute",
"default":"userpassword",
"mask":"false",
"array":"false",
"required":"false"
},
{
"name":"accountObjectClasses",
"type":"string",
"description":"The object class or classes that will be used when
creating new user objects in the LDAP tree. When entering more than one
object class, each entry should be on its own line; do not use commas or
semi-colons to separate multiple object classes. Some object classes
may require that you specify all object classes in the class hierarchy.",
"label":"Account Object Classes",
"default":[
"top",
"person",
"organizationalPerson",
"inetOrgPerson"
],
"mask":"false",
"array":"true",
"required":"false"
}
]
}
]
}
Where:
TargetAttributes is an array of objects, where each object represents a target type.
TargetType is the target type.
DisplayName is how the target type name should display.
BasicAttributes is an array of objects, where each object represents basic attributes for the target type.
AdvancedAttributes is an array of objects, where each object represents advanced attributes for the target type.
name is the attribute name to use when constructing the target JSON to create a target.
type is the attribute type. Acceptable values include string, int, boolean, or lov (list of values).
description is a helpful description of the attribute.
label is how the attribute name should display.
default is a default value for the attribute.
Specify a single value if the array parameter is false or specify an array of values if array is true.
mask hides sensitive values, such as credentials.
Specify true to hide attributes.
Specify false if hiding attributes is not necessary.
array indicates whether the attribute is single-valued or an array of multiple values.
Specify true if the attribute is an array of multiple values.
Specify false if the attribute is single-valued.
required indicates whether the attribute is mandatory or optional.
Specify true for mandatory attributes.
Specify false for optional attributes.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
First, you must obtain a list of attributes for the target type as described in Section B.5.1, "Get Target Attributes." You use these attributes to create the JSON object sent in the body.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation of target for addition/test |
|
Returns on Success |
Status code 201 Created and Location |
Example B-17 Sample JSON Representation of Target for Addition (ldap TargetType)
{
"target":{
"targetType":"ldap",
"targetName":"ldap1-target",
"host":"opam_server_host",
"passwordpolicy" : "passwordpolicy1",
"domain":"berkeley",
"description":"Ldap target",
"organization":"ST-US",
"credentials":"welcome",
"uidAttribute":"uid",
"port":"9876",
"passwordAttribute":"userpassword",
"principal":"cn=orcladmin",
"accountSearchFilter":"(uid=*)",
"baseContexts":[
"cn=Users,c=US"
],
"ssl":"false",
"accountObjectClasses":[
"top",
"person",
"organizationalPerson",
"inetOrgPerson"
],
"accountNameAttribute":"uid"
}
}
Example B-18 Sample JSON Representation of Target for Addition (database TargetType)
{
"target" : {
"targetType" : "database",
"targetName" : "db1_target",
"passwordpolicy" : "passwordpolicy1",
"passwordrollover" : "true",
"host" : "afg1140282",
"domain" : "adc1140282Domain",
"description" : "Dbase target for the automation",
"connectionProperties" : "",
"dbType" : "Oracle",
"jdbcUrl" : "jdbc:oracle:thin:@afg1140282.us.pk.com:11227:db5474",
"loginPassword" : "welcome1",
"loginUser" : "system"
}
}
Example B-19 Sample JSON Representation of Target for Addition (unix TargetType)
{
"target" : {
"targetType" : "unix",
"targetName" : "BackUpUnixTarget",
"passwordpolicy" : "passwordpolicy1",
"passwordrollover" : "true",
"host" : "adc0345labc.us.mycompany.com",
"domain" : "US",
"description" : "Backup system",
"organization" : "IT",
"port" : "23",
"sudoPasswdExpectExpression" : "password",
"commandTimeout" : "120000",
"passwordExpectExpressions" :
"new[\\s](unix[\\s])?password:,new[\\s](unix[\\s])?password([\\s]again)?:",
"loginShellPrompt" : "$",
"prePasswdExpectExpression" : "None",
"sudoAuthorization" : "false",
"loginUserpassword" : "welcome1",
"loginUser" : "aime2"
}
}
https://opam_server_host:opam_ssl_port/opam/target
/9bbcbbb087174ad1900ea691a2573b61 as the Location.
Where:
target is the target JSON object.
targetName is the name of the target.
targetType is the target type.
passwordpolicy is the Password Policy identifier of the Password Policy applied to the target.
passwordrollover is the flag that indicates whether to enable automatic password recycling for a target's service account.
If you set this flag to true, then Oracle Privileged Account Manager automatically resets the target's service account password based on the settings specified in the Password Policy that applies.
Note:
The passwordrollover flag is currently not supported for ldap or lockbox targets.
All of the other attributes are dynamic and they correspond to the attributes in Section B.5.1, "Get Target Attributes."
Use this API to verify a target.
Note:
First, you must obtain a list of attributes for the target type. Refer to Section B.5.1, "Get Target Attributes," to create the JSON object to be sent in the body.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target/test |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation of target for addition/test |
|
Returns on Success |
Status code 200 |
Example B-20 Sample JSON Representation of Target for Addition/Verification
{
"target":{
"targetType":"ldap",
"targetName":"ldap1-target",
"host":"opam_server_host",
"passwordpolicy" : "passwordpolicy1",
"domain":"berkeley",
"description":"Ldap target",
"organization":"ST-US",
"credentials":"welcome",
"uidAttribute":"uid",
"port":"9876",
"passwordAttribute":"userpassword",
"principal":"cn=orcladmin",
"accountSearchFilter":"(uid=*)",
"baseContexts":[
"cn=Users,c=US"
],
"ssl":"false",
"accountObjectClasses":[
"top",
"person",
"organizationalPerson",
"inetOrgPerson"
],
"accountNameAttribute":"uid"
}
}
Where:
target is the target JSON object.
targetName is the name of the target.
targetType is the target type.
passwordpolicy is the Password Policy identifier of the Password Policy applied to the target.
All of the other attributes are dynamic and they correspond to the attributes in Section B.5.1, "Get Target Attributes."
Use this API to retrieve a target.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target/{targetUID} |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of target |
Example B-21 Sample JSON Representation of Target (ldap Target Type)
{
"target":{
"targetUID":"9bbcbbb087174ad1900ea691a2573b61",
"targetType":"ldap",
"targetName":"ldap1-target",
"host":"opam_server_host",
"domain":"berkeley",
"description":"Ldap target",
"organization":"ST-US",
"credentials":"welcome",
"uidAttribute":"uid",
"port":"9876",
"passwordAttribute":"userpassword",
"principal":"cn=orcladmin",
"accountSearchFilter":"(uid=*)",
"baseContexts":[
"cn=Users,c=US"
],
"ssl":"false",
"accountObjectClasses":[
"top",
"person",
"organizationalPerson",
"inetOrgPerson"
],
"accountNameAttribute":"uid",
}
}
Example B-22 Sample JSON Representation of Target (database Target Type)
{
"target" : {
"targetUID" : "62bcfb98f95d4966ab0ff9a44717a20a",
"targetType" : "database",
"targetName" : "db1_target",
"passwordpolicy" : "passwordpolicy1",
"passwordrollover" : "true",
"host" : "afg1140282",
"domain" : "adc1140282Domain",
"description" : "Dbase target for the automation",
"connectionProperties" : "",
"dbType" : "Oracle",
"jdbcUrl" : "jdbc:oracle:thin:@afg1140282.us.pk.com:11227:db5474",
"loginPassword" : "welcome1",
"loginUser" : "system"
}
}
Example B-23 Sample JSON Representation of Target (unix Target Type)
{
"target" : {
"targetUID" : "a00075b4b7bb453c9482d02535989b53",
"targetType" : "unix",
"targetName" : "unix1-target",
"passwordpolicy" : "passwordpolicy1",
"passwordrollover" : "true",
"host" : "adc0345labc.us.mycompany.com",
"domain" : "US",
"description" : "Backup system",
"organization" : "IT",
"port" : "23",
"sudoPasswdExpectExpression" : "password",
"commandTimeout" : "120000",
"passwordExpectExpressions" :
"new[\\s](unix[\\s])?password:,new[\\s](unix[\\s])?password([\\s]again)?:",
"loginShellPrompt" : "$",
"prePasswdExpectExpression" : "None",
"sudoAuthorization" : "false",
"loginUserpassword" : "welcome1",
"loginUser" : "aime2"
}
}
Where:
target is the target JSON object.
targetUID is the target's unique identifier.
targetName is the name of the target.
targetType is target type.
passwordrollover is the flag that indicates whether to enable automatic password recycling for a target's service account.
If you set this flag to true, then Oracle Privileged Account Manager automatically resets the target's service account password based on the settings specified in the Password Policy that applies.
Note:
The passwordrollover flag is currently not supported for ldap or lockbox targets.
All of the other attributes are dynamic and they correspond to the attributes in Section B.5.1, "Get Target Attributes."
Use this API to update a target.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
You can change all of the attributes, except targetType and targetUID, and you can change multiple attributes at a time.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target/{targetUID} |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation of Target Modification |
|
Returns on Success |
Status code 200 |
Example B-24 Sample JSON Object to Modify Target
"modifications":[
{
"modification":{
"host":"opam_server_host"
}
},
{
"modification":{
"port":"6000"
}
}
]
}
Where:
targetUID is the target's unique identifier.
modifications is an array of modification JSON objects.
modification is a JSON object representing the modification of a single attribute.
Use this API to delete a target.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target/{targetUID} |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 |
Use this API to search for a target using any of the following request parameters:
type
name
hostname
domain
description
org
All of these parameters are optional.
Note:
You must be an administrator with the User Manager Admin Role, Security Administrator Admin Role, or Security Auditor Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target/search?param1=value1¶m2=value2 |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of Target Collection |
|
https://opam_server_host:opam_ssl_port/opam/target/search? |
Returns all targets |
|---|---|
|
https://opam_server_host:opam_ssl_port/opam/target/search?type=ldap&org=us |
Returns all targets whose type contains |
Example B-25 Sample JSON Representation of Target Collection
{
"Target Collection":[
{
"target":{
"uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/target\
/9bbcbbb087174ad1900ea691a2573b61",
"type":"ldap",
"name":"person1-ldap",
"host":"opam_server_host",
"domain":"berkeley"
"description" : "Ldap target"
}
},
{
"target":{
"uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/target\
/ac246a162ce948c7b1cdcc17dfc92c15",
"type":"ldap",
"name":"person1-ldap2",
"host":"opam_server_host:opam_ssl_port",
"domain":"berkeley"
"description" : "Ldap target"
}
}
]
}
Where:
Target Collection is an array of target JSON objects.
target is the target JSON object.
uri is the target resource URI.
type is the target type.
hostname is the target's host name.
name is the target name.
org is the target's organization.
domain is the target's domain.
description is a description of the target system.
Use this API to retrieve all of the accounts present on the target system.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target/{targetUID}/availableaccounts |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 OK and JSON representation of account collection |
Example B-26 Sample JSON Representation of Account Collection
{
"AvailableAccounts":[
{
"accountName":"SCOTT",
"accountUid":"SCOTT"
},
{
"accountName":"BLAKE",
"accountUid":"BLAKE "
},
{
"accountName":"JONES",
"accountUid":"JONES"
}
]
}
Where:
AvailableAccounts is an array of the accounts present on the target system.
accountName is the account name.
accountUID is the account's unique identifier.
Use this API to retrieve all the accounts on the target that are registered with Oracle Privileged Account Manager.
Note:
You must be an administrator with the User Manager Admin Role, Security Administrator Admin Role, or Security Auditor Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target/{targetUID}/accounts |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of URI collection of accounts |
Example B-27 Sample JSON Representation of URI Collection of Accounts
{
"URI Collection":[
{
"account":{
"uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/3740553e999a4f6aa8e8f9286d320cb4",
"accountName":"sherlock"
}
},
{
"account":{
"uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/c11066278022489aad758aec69d9727d",
"accountName":"root"
}
}
]
}
Where:
URI Collection is an array of accounts on a target that are registered with Oracle Privileged Account Manager.
account is the account JSON object.
uri is the account's URI.
accountName is the account name.
Use this API to retrieve a list of all supported target types.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target/types |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of supported target types |
Example B-28 Sample JSON Representation of Supported Target Types
{
"targettypes":[
"ldap",
"unix",
"database",
"lockbox"
]
}
Where:
targettypes are the supported target types.
Use this API to reset the password on the target's service account.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target/{targetUID}/resetpassword |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
|
|
Returns on Success |
Status code 200 |
Example B-29 Sample JSON Representation of the New Password
{
"password":"welcome1"
}
or
{
"autogen":"true"
}
Where:
targetUID is the target's unique identifier.
password is the password to assign to the service account.
autogen is the flag that controls whether to automatically generate the password or not. (Default is false.)
Use this API to retrieve and display the service account password.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target/{targetUID}/showpassword |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of service account |
Example B-30 Sample JSON Representation of Account Token
{
"serviceAccount" : {
"targetName" : "APILDAP",
"targetUID" : "ad3163bfb37b4544a4c12ae06a39c2d9",
"targetAccount" : "cn=admin",
"targetPassword" : "welcome1",
"targetPasswordChangeTime" : " 2013-01-27 02:58:13.259"
}
}
Where:
targetUID is the target's unique identifier.
targetName is the name of the target.
targetAccount is the service account on the target.
targetPassword is the service account password.
targetPasswordChangeTime is the time when the password was modified.
Note:
This API has been deprecated. Oracle recommends that you use the Show Service Account Password API in Section B.5.12, "Show Service Account Password."
Use this API to retrieve and display the service account password.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target/{targetUID}/showpassword |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of service account |
Example B-31 Sample JSON Representation of Account Token
{
"serviceAccount" : {
"targetName" : "APILDAP",
"targetUID" : "ad3163bfb37b4544a4c12ae06a39c2d9",
"targetAccount" : "cn=admin",
"targetPassword" : "welcome1",
"targetPasswordChangeTime" : " 2013-01-27 02:58:13.259"
}
}
Where:
targetUID is the target's unique identifier.
targetName is the name of the target.
targetAccount is the service account on the target.
targetPassword is the service account password.
targetPasswordChangeTime is the time when the password was modified.
Use this API to retrieve and display the service account password history.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
Refer to Chapter 7, "Working with Service Accounts" for information about service accounts.
|
URI |
https://opam_server_host:opam_ssl_port/opam/target/{targetUID}/showpasswordhistory |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of service account |
Example B-32 Sample JSON Representation of Target Token
{
"targetToken": {
"targetName": "SessionMgr_Target",
"targetUID": "d5ac79483c2a4641adb97f2e72b17f28",
"passwordHistory": [
{
"targetPassword": "welcome1",
"modificationTime": "1383078344"
},
{
"targetPassword": "4PkVerh7",
"modificationTime": "1383078329"
},
{
"targetPassword": "l9yAigqj",
"modificationTime": "1383078314"
},
{
"targetPassword": "welcome1",
"modificationTime": "1383010874"
}
]
}
}
Where:
targetUID is the target's unique identifier.
targetName is the name of the target.
passwordHistory is the service account password history.
targetPassword is the service account password.
modificationTime (UTC time in seconds) is the time when the password was modified.
Password history results are sorted by modification time, where the most recent results will be at the top.
The APIs described in this section include:
Use this API to add an account to the target. This API does not create an account on the target system, but it registers the existing account with the Oracle Privileged Account Manager target.
Note:
You must never use the same account as the service account and as a privileged account to be managed by Oracle Privileged Account Manager.
You must be an administrator with the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation for account addition/verification |
|
Returns on Success |
Status code 201 and Location |
Example B-33 Sample JSON Representation of Account for Addition/Verification
{
"account":{
"accountName":"admin",
"description" : "maintenance account on the machine",
"password" : "welcome1",
"passwordpolicy":"passwordpolicy2",
"shared":"true",
"targetUID":"9bbcbbb087174ad1900ea691a2573b61"
}
}
Where:
account is the account JSON object.
accountName is the name of the account.
description is a description of the account. This attribute is optional.
password is the account password. This attribute is optional.
passwordpolicy is the policy ID of the Password Policy applicable to the account. This parameter is optional. By default, this parameters uses the global Default Password Policy.
shared indicates the shared status of the account. This value is a Boolean and the default setting is false.
targetUID is the target's unique identifier.
Use this API to get the applicable Usage Policy for an account.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/ |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Returns on Success |
Status code 200 and JSON representation of the Usage Policy |
Example B-34 Sample JSON Representation of the Usage Policy
{"usagepolicy":
{
"policyid":"bafd53072bbb442db185dca18bd00e69",
"policyname":"usage_policy_anytime"
}
}
Where:
usagepolicy is the Usage Policy JSON object.
policyid is the Usage Policy's unique identifier.
policyname is a name of the policy
Use this API to grant a user or role access to an account. Multiple users and roles can be granted the access at a time.
Note:
You must be an administrator with the User Manager Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID} |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation for adding grantees |
|
Returns on Success |
Status code 200 |
Example B-35 Sample JSON Representation for Adding Grantees
{
"modifications":[
{
"modification":{
"usagepolicy":"usagepolicy1",
"role":"opamgroup1",
"operation":"add"
}
},
{
"modification":{
"usagepolicy":"usagepolicy1",
"user":"opamuser1",
"operation":"add"
}
}
]
}
Where:
accountUID is the account's unique identifier.
modifications are an array of modification JSON objects.
modification is a JSON object representing the modification of a single attribute.
role indicates that a group has to be granted an access. This parameter value is the group name.
user indicates that a user has to be granted an access. This parameter value is the user login id.
usagepolicy indicates the Usage Policy identifier to be applied to the grant.
operation indicates the type of operation to be performed. Acceptable values include:
add indicates grant.
delete indicates revocation.
replace indicates replacement of usagepolicy with a new value.
Use this API to add a CSF map-key to an account or remove the map-key from an account. You can add or remove multiple map-keys at a time.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID} |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation for adding keymaps |
|
Returns on Success |
Status code 200 |
Example B-36 Sample JSON Representation for Map-Keys Addition/Removal
{
"modifications": [
{
"modification": {
"keymap": "[app1][sd45kjlf4g][t3://localhost:7001][weblogic][password]",
"operation": "add"
}
},
{
"modification": {
"keymap": "[hrmap][hrkey2][t3://localhost7001][weblogic][password]",
"operation": "delete"
}
}
]
}
Where:
accountUID is the account's unique identifier.
modifications is an array of modification JSON objects.
modification is a JSON object representing the modification of a single attribute.
keymap is the map-key to be added or removed. The map-key must be in the following format:
[csfmap][csfkey][Administration Server Url][username][password]
operation indicates the type of operation to be performed. Acceptable values include:
add indicates addition of map-key.
delete indicates removal of map-key.
Use this API to search accounts using one or more of the following search request parameters:
type
domain
description
name
accountname
All of these parameters are optional.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/search? |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of account collection |
Example B-37 Sample JSON Representation of Account Collection
{
"AccountCollection" : [
{
"account" : {
"shared" : false,
"passwordchangetime" : 1383072107,
"targetUID" : "eadd96486e9a47b79bd23cf1167bd2b2",
"domain" : "needtofix",
"targetName" : "sunds_6.3_target",
"targetType" : "ldap",
"accountlevelstatus" : "checkedIn",
"description" : "",
"accountName" : "dsperson1",
"uri" : "https://localhost:7002/opam/account/35e2709edf0443edae8f67727d937bec",
"accountUID" : "35e2709edf0443edae8f67727d937bec"
}
},
{
"account" : {
"shared" : false,
"passwordchangetime" : 1383072107,
"targetUID" : "eadd96486e9a47b79bd23cf1167bd2b2",
"domain" : "needtofix",
"targetName" : "sunds_6.3_target",
"targetType" : "ldap",
"accountlevelstatus" : "checkedIn",
"description" : "",
"accountName" : "dsperson10",
"uri" : "https://localhost:7002/opam/account/0a1ee2cb17e345cdb537a2f05e11e93c",
"accountUID" : "0a1ee2cb17e345cdb537a2f05e11e93c"
}
}
],
"count" : 2
}
Where:
account is the account JSON object.
shared indicates the shared status of the account. This value is a Boolean and the default setting is false.
accountlevelstatus indicates whether the account has been checked in by anyone. Acceptable values are checkedIn and checkedOut.
description is a description of the account. This attribute is optional.
accountName is the name of the account.
accountUID is the account's unique identifier.
passwordchangetime is the time when the password was modified.
For all other attribute definitions, refer to Section B.5, "Target Resource."
Use this API to search assigned accounts using one or more of the following search request parameters:
type
domain
description
name
accountname
All of these parameters are optional.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/myaccounts/search? |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of account collection |
Example B-38 Sample JSON Representation of Account Collection
{
"AccountCollection": [
{
"account": {
"uri": "https://myhost:7002/opam/account/b0e7ae053afb45658da4e3a0453bffec",
"accountUID": "b0e7ae053afb45658da4e3a0453bffec",
"accountName": "dduck",
"description": "",
"targetUID": "6e9721709c874c5897d7ea52071f0aac",
"targetName": "unix1-target",
"targetType": "unix",
"domain": "US"
}
}
],
"count": 1
}
Where:
account is the account JSON object.
accountUID is the account's unique identifier.
accountName is the name of the account.
description is a description of the account. This attribute is optional.
For all other attribute definitions, refer to Section B.5, "Target Resource."
Use this API to retrieve an account.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID} |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of account |
Example B-39 Sample JSON Representation of Account
{
"account":{
"accountUID":"3f74a85e39e64432ba917a2e60fa15aa",
"targetUID":"9bbcbbb087174ad1900ea691a2573b61",
"accountName":"admin",
"shared":true,
"accountlevelstatus":"checkedIn",
"passwordpolicy":"passwordpolicy2",
"protocol": "ssh",
"port": 22
}
}
Where:
account is the account JSON object.
accountUID is the account's unique identifier.
accountName is the name of the account.
passwordpolicy is the policy ID of the Password Policy applicable to the account.
shared indicates the shared status of the account. This value is a Boolean and the default setting is false.
targetUID is target's unique identifier.
accountlevelstatus indicates whether the account has been checked in by anyone. Acceptable values are checkedIn and checkedOut.
protocol is the protocol used to connect to the Oracle Privileged Session Manager server.
port is the port used to connect to the Oracle Privileged Session Manager server.
Use this API to retrieve all the grantees of an account. A grantee can be a user or a role.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/grantees |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of Grantees |
Example B-40 Sample JSON Representation of Grantees
{
"grantees":{
"users":[
"opamuser1"
],
"roles":[
"opamgroup1"
]
}
}
Where:
grantees are grantees of the account.
users are the users who have been granted the account. Each value is the user's login ID/UID.
roles are the groups or roles who have been granted the account. Each value is a group name.
Use this API to retrieve a list of all users who have currently checked out an account.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/whocheckedout |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of users who checked out the account. |
Example B-41 Sample JSON Representation of Users Who Checked Out the Account
{
"users": [
{
"user": {
"uid": "user_manager",
"expiryTime": "1382147587",
"checkoutTime": "1381715587",
"checkoutUID": "f499b76719ba4d0aa30487e58316def3",
"checkoutType": "password",
"transcriptURL": ""
}
},
{
"user": {
"uid": "user_manager",
"expiryTime": "1382147587",
"checkoutTime": "1381715587",
"checkoutUID": "f499b76719ba4d0aa30487e58316def3",
"checkoutType": "session",
"transcriptURL": "https://myhost:7002/opam/checkout/dee8383184664ddfa09f454d0a9a023d/
transcript"
}
}
]
}
Where:
transcriptURL is the URL you use to access the session transcript.
checkoutType indicates whether the checkout was a session checkout or a password checkout.
checkoutUID is the unique ID for the checkout.
Use this API to check out an account.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/checkout |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of account token |
Example B-42 Sample JSON Representation of Account Token
{
"accountToken":{
"accountName":"admin",
"accountUID":"3f74a85e39e64432ba917a2e60fa15aa",
"accountPassword":"GJN8p2ol"
}
}
Where:
accountUID is the account's unique identifier.
accountName is the name of the account.
accountpassword is the account password.
Use this API to retrieve a list of all accounts that have been checked out by the logged in user.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/mycheckouts |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of account collection |
Example B-43 Sample JSON Representation of Account Collection
{
"Checkouts": [
{
"uri": "https://myhost:7002/opam/account/b0e7ae053afb45658da4e3a0453bffec",
"accountUID": "b0e7ae053afb45658da4e3a0453bffec",
"accountName": "dduck",
"status": "checkedOut",
"targetUID": "6e9721709c874c5897d7ea52071f0aac",
"targetName": "unix1-target",
"targetType": "unix",
"domain": "US",
"expiryTime": "1371945854",
"checkoutUID": "b97b2de6a80b40c48f873067027ac476",
"checkoutType": "session",
"transcriptURL": "https://myhost:7002/opam/account/checkout/b97b2de6a80b40c48f873067027ac476/
transcript"
},
{
"uri": "https://myhost:7002/opam/account/b0e7ae053afb45658da4e3a0453bffec",
"accountUID": "b0e7ae053afb45658da4e3a0453bffec",
"accountName": "dduck",
"status": "checkedOut",
"targetUID": "6e9721709c874c5897d7ea52071f0aac",
"targetName": "unix1-target",
"targetType": "unix",
"domain": "US",
"expiryTime": "1371940624",
"checkoutUID": "bf43672ffd3a43018cdfde9b78bf1691",
"checkoutType": "password",
"transcriptURL": ""
}
]
}
Where:
accountUID is the account's unique identifier.
accountName is the name of the account.
checkoutUID is the unique ID for the checkout.
checkoutType indicates whether the checkout was a session checkout or a password checkout.
transcriptURL is the URL to access the session transcript.
For all other attribute definitions, refer to Section B.5, "Target Resource."
Use this API to get information to help you perform a session checkout.
Note:
For more information about password and session checkouts, refer to Section 8.5, "Checking Out Privileged Accounts" and Section 8.5.2, "Checking Out Privileged Account Sessions."
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/checkout/ |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of output |
Example B-44 Sample JSON Representation of Session Checkout Instructions
{
"sessionCheckoutInstructions": {
"accountName": "dduck",
"targetName": "bkottaha-unix",
"port": 1222,
"instruction": "ssh -p <port> <opamuser>:<targetname>:<accountname>@
<sessionmgrhost>\n Use opam password on password prompt"
}
}
Where:
accountName is the name of the account.
targetName is the name of the target.
port is the port that Session Manager listens to for connections.
instruction is the information required to perform a session checkout.
Use this API to search for an account's checkout history using one or more of the following parameters:
from: Specify start time in seconds (UTC) (required).
to: Specify end time in seconds (UTC) (required).
uid: Specify the userID (optional).
pattern: Specify the command that was executed or a term in the log (optional).
size: Specify the number of array elements to be returned (optional).
Use the from and to parameters to specify the time period in which the checkouts were running.
Note:
You must be an administrator with the User Manager or Security Administrator Admin Role to access this query.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/checkouts/ |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of output |
https://myhost:7002/opam/account/8d9e9ce750da4aedac3ffbea0d28a73a/checkouts/historical/search?from=123&to=1372893007&size=2&pattern=ls
Example B-45 Sample JSON Representation of Account Checkout History
{
"checkouts": [
{
"checkout": {
"accountName": "dduck",
"targetName": "unix1-target",
"uid": "user_manager",
"starttime": "1372883311",
"endtime": "1372883323",
"checkoutUID": "9c3c5d687d414a57b7dbda0692c9b06d ",
"checkoutType": "session",
"transcriptURL": "https://myhost:7002/opam/checkout/9c3c5d687d414a57b7dbda0692c9b06d/transcript"
}
},
{
"checkout": {
"accountName": "dduck",
"targetName": "unix1-target",
"uid": "user_manager",
"starttime": "1372812996",
"endtime": "1372813007",
"checkoutUID": "60f253f7c8a941309d64fe88787f90ee ",
"checkoutType": "password",
"transcriptURL": ""
}
}
],
"totalcount": 3,
"returncount": 2
}
Where:
transcriptURL is the URL you use to access the session transcript.
checkoutType indicates whether the checkout was a session checkout or a password checkout.
checkoutUID is the unique ID for the checkout.
totalcount is the number of actual search results.
returncount is the number of search results that were actually returned (determined by size).
For all other attribute definitions, refer to Section B.6, "Account Resource."
Use this API to search for the checkout history of all accounts, using one or more of the following parameters:
from: Specify start time in seconds (UTC) (required).
to: Specify end time in seconds (UTC) (required).
targetname: Specify the name of a target on which to search (optional).
accountname: Specify the name of an account to search (optional).
uid: Specify the userID (optional).
pattern: Specify the command that was executed or a term in the log (optional).
size: Specify the number of array elements to be returned (optional).
Use the from and to parameters to specify the time period in which the checkouts were running.
Note:
You must be an administrator with the Security Auditor Admin Role to access this query.
|
URI |
https://opam_server_host:opam_ssl_port/opam/checkout/historical/search?param1=val1 |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of output |
https://myhost:7002/opam/checkout/historical/search?from=123&to=
1472816146&size=2&pattern=ls&accountname=a&targetname=h&uid=u
Example B-46 Sample JSON Representation of Checkout History
{
"checkouts": [
{
"checkout": {
"accountName": "dduck",
"targetName": "unix1-target",
"uid": "user_manager",
"starttime": "1372883311",
"endtime": "1372883323",
"checkoutUID": "9c3c5d687d414a57b7dbda0692c9b06d ",
"checkoutType": "session",
"transcriptURL": "https://myhost:7002/opam/checkout/9c3c5d687d414a57b7dbda0692c9b06d/transcript"
}
},
{
"session": {
"accountName": "mmouse",
"targetName": "unix1-target",
"uid": "user_manager",
"starttime": "1372880658",
"endtime": "1372880667",
"checkoutUID": "8d2a99d2b34a4e3297b051fb4028652f ",
"checkoutType": "password",
"transcriptURL": ""
}
}
],
"totalcount": 4,
"returncount": 2
}
Where:
transcriptURL is the URL you use to access the session transcript.
checkoutType indicates whether the checkout was a session checkout or a password checkout.
checkoutUID is the unique ID for the checkout.
totalcount is the number of actual search results.
returncount is the number of search results that were actually returned (determined by size).
For all other attribute definitions, refer to Section B.6, "Account Resource."
Use this API to check in an account.
A checkout can be a password checkout or session checkout. You can individually check in each checkout by using its checkoutUID or you can check in all of the checkouts for an account. (In this publication, the term "account checkout" generally refers to the latter case.)
Note:
To do a force-check in, you must be an administrator with the User Manager Admin Role.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/checkin |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
|
|
Returns on Success |
Status code 200 |
Sample JSON Representations of Account Check Ins
The following examples illustrate different types of Force Check Ins
Example B-47, "Self Check In a Password or Session Checkout"
Example B-48, "Force Account Check In (Both Password and Session) for All Users"
Example B-49, "Force Account Check In (Both Password and Session) for a Single User"
Example B-47 Self Check In a Password or Session Checkout
{
"checkoutUID":"9c3c5d687d414a57b7dbda0692c9b06d"
}
Example B-49 Force Account Check In (Both Password and Session) for a Single User
{
"force" : "true",
"userid" : "person1"
}
Example B-50 Force Check In a Password or Session
{
"force" : "true",
"checkoutUID" : "9c3c5d687d414a57b7dbda0692c9b06d",
}
Note:
If you want to perform an account check in (for both password or session), you do not have to provide any content in the JSON body.
Where:
force is a flag that indicates a force check-in. (Default is false.)
userid is the user who is to be force-checked in. (Default is to force-check in all users that have checked out the account.)
checkoutUID is the unique identifier for a checkout.
Use this API to verify whether the account is present on the target system.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/test |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation for account addition/verification |
|
Returns on Success |
Status code 200 |
Example B-51 Sample JSON Representation of Account Addition/Verification
{
"account":{
"accountName":"admin",
"description" : "maintenance account on the machine"
"password" : "welcome1"
"passwordpolicy":"passwordpolicy2",
"shared":"true",
"targetUID":"9bbcbbb087174ad1900ea691a2573b61"
}
}
Where:
account is the account JSON object.
accountName is the name of the account.
description is a description of the account. This attribute is optional.
password is the account password. This attribute is optional.
passwordpolicy is the policy ID of the Password Policy applicable to the account. This parameter is optional. By default, this parameters uses the global Default Password Policy.
shared indicates the shared status of the account. This value is a Boolean and the default setting is false.
targetUID is the target's unique identifier.
Use this API to update an account. You can change multiple attributes at a time. Only passwordpolicy, description, and shared attributes can be updated.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID} |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation of account modifications |
|
Returns on Success |
Status code 200 |
Example B-52 Sample JSON Representation of Account Modifications
{
"modifications":[
{
"modification":{
"passwordpolicy":"passwordpolicy2"
}
},
{
"modification":{
"shared":"false"
}
}
}
}
Where:
accountUID is the account's unique identifier.
modifications are an array of modification JSON objects.
modification is a JSON object representing the modification of a single attribute.
Use this API to remove an account.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 |
Where:
accountUID is the account's unique identifier.
Use this API to remove a user's access or a role's access to an account. You can revoke multiple user and role grants at a time.
Note:
You must be an administrator with the User Manager Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID} |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation for removing grantees |
|
Returns on Success |
Status code 200 |
Example B-53 Sample JSON Representation for Removing Grantees
{
"modifications":[
{
"modification":{
"usagepolicy":"usagepolicy1",
"role":"opamgroup1",
"operation":"delete"
}
},
{
"modification":{
"usagepolicy":"usagepolicy1",
"user":"opamuser1",
"operation":"delete"
}
}
]
}
Where:
accountUID is the account's unique identifier.
modifications are an array of modification JSON objects.
modification is a JSON object representing a single modification.
role indicates that a group has to be granted an access. This parameter value is the group name.
user indicates that a user has to be granted an access. This parameter value is the user login id.
usagepolicy indicates the Usage Policy identifier to be applied to the grant.
operation indicates the type of operation to be performed. Acceptable values include:
add indicates a grant.
delete indicates a revocation.
replace indicates the replacement of the usagepolicy with a new value.
Use this API to retrieve and display the password associated with an account.
Note:
You must be an administrator with the Security Administrator Admin Role or you must have checked out the account to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/showpassword |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of account token |
Example B-54 Sample JSON Representation of Account Token
{
"accountToken":{
"accountName":"admin",
"accountUID":"3f74a85e39e64432ba917a2e60fa15aa",
"accountPassword":"GJN8p2ol"
}
}
Where:
accountUID is the account's unique identifier.
accountName is the name of the account.
accountPassword is the account password.
Note:
This API has been deprecated. Oracle recommends that you use the Show Password API in Section B.6.20, "Show Password."
Use this API to retrieve and display the password associated with an account.
Note:
You must be an administrator with the Security Administrator Admin Role or you must have checked out the account to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/showpassword |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of account token |
Example B-55 Sample JSON Representation of Account Token
{
"accountToken":{
"accountName":"admin",
"accountUID":"3f74a85e39e64432ba917a2e60fa15aa",
"accountPassword":"GJN8p2ol"
}
}
Where:
accountUID is the account's unique identifier.
accountName is the name of the account.
accountPassword is the account password.
Use this API to retrieve and display the password history associated with an account.
Note:
You must be an administrator with the Security Administrator Admin Role or you must have checked out the account to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/showpasswordhistory |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of account token |
Example B-56 Sample JSON Representation of Account Token
{
"accountName": "opamuser1",
"accountUID": "c1b054ed0f984e27bd68b8c28b985801",
"passwordHistory": [
{
"accountPassword": "M7aGfNOR",
"modificationTime": "1382996686"
},
{
"accountPassword": "Dr3z5AGa",
"modificationTime": "1382996412"
}
]
}
Where:
accountUID is the account's unique identifier.
accountName is the name of the account.
passwordHistory is the account password history.
accountPassword is the account password.
modificationTime is the time (in UTC seconds) when the password was modified.
Note:
This API has been deprecated. Oracle recommends that you use the Show Password History API in Section B.6.22, "Show Password History."
Use this API to retrieve and display the password history associated with an account.
Note:
You must be an administrator with the Security Administrator Admin Role or you must have checked out the account to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/showpasswordhistory |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of account token |
Example B-57 Sample JSON Representation of Account Token
{
"accountName":"admin",
"accountUID":"3f74a85e39e64432ba917a2e60fa15aa",
"passwordHistory": [{
"accountPassword": "Ud2fykRx",
"modificationTime": "2013-01-27 19:36:32.952"
}, {
"accountPassword": "jgs21Z8w",
"modificationTime": "2013-01-27 19:37:02.449"
}, {
"accountPassword": "I3jDRaZb",
"modificationTime": "2013-01-27 19:37:19.488"
}, {
"accountPassword": "5VfKaYZT",
"modificationTime": "2013-01-28 00:22:37.331"
}]
}
Where:
accountUID is the account's unique identifier.
accountName is the name of the account.
passwordHistory is the account password history.
accountPassword is the account password.
modificationTime is the time when the password was modified.
Use this API to reset the password on the account.
Note:
You must be an administrator with the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/account/{accountUID}/resetpassword |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation of the new password |
|
Returns on Success |
Status code 200 |
Example B-58 Sample JSON Representation of the New Password
{
"password":"welcome1"
}
Or,
{
"autogen":"true"
}
Where:
accountUID is the account's unique identifier.
password is the password assigned to the account.
autogen is the a flag that controls whether to generate a password automatically or not. (Default is false.)
The APIs described in this section include:
Note:
This API has been deprecated. Oracle recommends that you use the Search Accounts API in Section B.6, "Account Resource."
Use this API to search accounts using one or more of the following search request parameters:
type
domain
description
name
accountname
All of these parameters are optional.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/ui/allaccounts/search?param1=val1¶m2=val2 |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of account collection |
Example B-59 Sample JSON Representation of Account Collection
{
"AccountCollection" : [
{
"account" : {
"shared" : false,
"targetUID" : "eadd96486e9a47b79bd23cf1167bd2b2",
"domain" : "needtofix",
"targetName" : "sunds_6.3_target",
"targetType" : "ldap",
"accountlevelstatus" : "checkedIn",
"description" : "",
"accountName" : "dsperson1",
"uri" : "https://localhost:7002/opam/account/35e2709edf0443edae8f67727d937bec",
"accountUID" : "35e2709edf0443edae8f67727d937bec"
}
},
{
"account" : {
"shared" : false,
"targetUID" : "eadd96486e9a47b79bd23cf1167bd2b2",
"domain" : "needtofix",
"targetName" : "sunds_6.3_target",
"targetType" : "ldap",
"accountlevelstatus" : "checkedIn",
"description" : "",
"accountName" : "dsperson10",
"uri" : "https://localhost:7002/opam/account/0a1ee2cb17e345cdb537a2f05e11e93c",
"accountUID" : "0a1ee2cb17e345cdb537a2f05e11e93c"
}
}
],
"count" : 2
}
For all other attribute definitions, refer to Section B.5, "Target Resource" and Section B.6, "Account Resource."
Note:
This API has been deprecated. Oracle recommends that you use the Search Assigned Accounts API in Section B.6, "Account Resource."
Use this API to search assigned accounts using one or more of the following search request parameters:
type
domain
description
name
accountname
All of these parameters are optional.
|
URI |
https://opam_server_host:opam_ssl_port/opam/ui/myaccounts/search?param1= |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of account collection |
Example B-60 Sample JSON Representation of Account Collection
{
"AccountCollection" : [
{
"account" : {
"status" : "checkedIn",
"shared" : false,
"targetUID" : "b7af920f673149f5b0f66da28fdf8253",
"domain" : "needtofix",
"targetName" : "ldap1_target",
"targetType" : "ldap",
"accountlevelstatus" : "checkedIn",
"description" : "",
"accountName" : "person1",
"uri" : "https://localhost:7002/opam/account/0d755f646bcf4fa08ca515ed3829aadf",
"accountUID" : "0d755f646bcf4fa08ca515ed3829aadf"
}
},
{
"account" : {
"status" : "checkedIn",
"shared" : false,
"targetUID" : "b7af920f673149f5b0f66da28fdf8253",
"domain" : "needtofix",
"targetName" : "ldap1_target",
"targetType" : "ldap",
"accountlevelstatus" : "checkedIn",
"description" : "",
"accountName" : "person2",
"uri" : "https://localhost:7002/opam/account/62c684c3821f4e118790e815ee881e02",
"accountUID" : "62c684c3821f4e118790e815ee881e02"
}
}
],
"count" : 2
}
Where:
status indicates whether the requesting user has checked out the account or not.
For all other attribute definitions, refer to Section B.5, "Target Resource" and Section B.6, "Account Resource."
Note:
This API has been deprecated. Oracle recommends that you use the Get All Checked Out Accounts API in Section B.6, "Account Resource."
Use this API to retrieve a list of all accounts that have been checked out by the logged in user.
|
URI |
https://opam_server_host:opam_ssl_port/ui/allaccounts/mycheckedout |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of account collection |
Example B-61 Sample JSON Representation of Account Collection
{
"AccountCollection":[
{
"account":{
"uri":"https:\/\/opam_server_host:opam_ssl_port\/opam\/account\
/3740553e999a4f6aa8e8f9286d320cb4",
"accountUID":"3740553e999a4f6aa8e8f9286d320cb4",
"accountName":"sherlock",
"status":"checkedOut",
"targetUID":"9bbcbbb087174ad1900ea691a2573b61",
"targetName":"ldap1-target",
"targetType":"ldap",
"domain":"berkeley",
"expiryTime":1338765551,
},
"count":1
}
]
}
For attribute definitions, refer to Section B.5, "Target Resource" and Section B.6, "Account Resource."
The APIs described in this section include:
Use this API to retrieve a user.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/user/{uid} |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of user |
Example B-62 Sample JSON Representation of User
{
"user":{
"uid":"opamuser1",
"lastname":"opamuser1",
"usertype":"End-User",
"opamrole":[
],
"dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain",
}
}
Where:
uid is the login ID of the user.
lastname is the last name of the user.
firstname is the first name of the user.
dn is the distinguished name of the user.
usertype indicates whether the user has an Administrative Role.
opamrole is the user's Admin Role.
Use this API to retrieve all of the accounts granted to a user.
Note:
You must be an administrator with the User Manager Admin Role or the Security Administrator Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/user/{uid}/accounts |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of accounts collection |
Example B-63 Sample JSON Representation of Accounts Collection
{
"accounts":[
{
"account":{
"accountUID":"16d245784350469cbe25229a7c45af22",
"accountName":"oidperson10",
"targetID":"75a23e9f30ba456b961a1f5d327e67ef",
"targetName":"ldap1_target",
"targetDomain":"needtofix",
"targetType":"ldap"
}
},
{
"account":{
"accountUID":"47671a7a4ebc44c496888aac5423dad1",
"accountName":"oudperson11",
"targetID":"488d6d656b2c4b96a5fd835c131b4c00",
"targetName":"oud_11.115_target",
"targetDomain":"needtofix",
"targetType":"ldap"
}
}
]
}
For attribute definitions, refer to Section B.5, "Target Resource" and Section B.6, "Account Resource."
Use this API to search for users. This API searches for the searchKeyWord in firstname, lastname, uid, and mail of the user.
Note:
You must be an administrator with the User Manager Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/user/search/{searchKeyWord} |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status 200 and JSON representation of users |
Example B-64 Sample JSON Representation of Users
{
"users":[
{
"user":{
"uid":"opamenduser1",
"firstname":"opamenduser1",
"lastname":"opamenduser1",
"dn":"uid=opamenduser1,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"opamenduser2",
"lastname":"opamenduser2",
"dn":"uid=opamenduser2,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"opamuser1",
"lastname":"opamuser1",
"dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain"
}
}
]
}
For attribute definitions, refer to Section B.8.1, "Get a User."
Use this API to search for users. This API is contains a search with the uid parameter.
The uid parameter is optional.
Note:
You must be an administrator with the User Manager Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/user/advancedsearch?param1=val1¶m2=val2 |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status 200 and JSON representation of users |
Example B-65 Sample JSON Representation of Users
{
"users":[
{
"user":{
"uid":"OracleSystemUser",
"lastname":"OracleSystemUser",
"dn":"uid=OracleSystemUser,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"weblogic",
}
},
{
"user":{
"uid":"app_config",
"lastname":"app_config",
"dn":"uid=app_config,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"sec_admin",
"lastname":"sec_admin",
"dn":"uid=sec_admin,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"user_manager",
"lastname":"user_manager",
"dn":"uid=user_manager,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"sec_auditor",
"lastname":"sec_auditor",
"dn":"uid=sec_auditor,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"opamenduser1",
"firstname":"opamenduser1",
"lastname":"opamenduser1",
"dn":"uid=opamenduser1,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"opamenduser2",
"lastname":"opamenduser2",
"dn":"uid=opamenduser2,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"opamuser1",
"lastname":"opamuser1",
"dn":"uid=opamuser1,ou=people,ou=myrealm,dc=base_domain"
}
}
]
}
For attribute definitions, refer to Section B.8.1, "Get a User."
The APIs described in this section include:
Use this API to retrieve a group.
Note:
You must be an administrator with the User Manager Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/group/{name} |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of group |
Example B-66 Sample JSON Representation of Group
{
"group":{
"name":"opamgroup1",
"dn":"cn=opamgroup1,ou=groups,ou=myrealm,dc=base_domain",
"description":"",
}
}
Where:
name is the name of the group.
dn is the distinguished name of the group.
description is a description of the group.
Use this API to retrieve the user members of a group.
Note:
You must be an administrator with the User Manager Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/group/{name}/users |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of user collection |
Example B-67 Sample JSON Representation of User Collection
{
"users":[
{
"user":{
"uid":"master_user",
"lastname":"master_user",
"dn":"uid=master_user,ou=people,ou=myrealm,dc=base_domain"
}
},
{
"user":{
"uid":"sec_admin",
"lastname":"sec_admin",
"dn":"uid=sec_admin,ou=people,ou=myrealm,dc=base_domain"
}
}
]
}
For attribute definitions, refer to Section B.8.1, "Get a User."
Use this API to retrieve the group members of a group.
Note:
You must be an administrator with the User Manager Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/group/{name}/groups |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of group collection |
Example B-68 Sample JSON Representation of Group Collection
{
"groups":[
{
"group":{
"name":"CrossDomainConnectors",
"description":"CrossDomainConnectors can make inter-domain calls from foreign domains."
}
},
{
"group":{
"name":"Deployers",
"description":"Deployers can view all resource attributes and deploy applications."
}
}
]
}
For attribute definitions, refer to Section B.9.1, "Get Group."
Use this API to retrieve the all of the accounts granted to a group.
Note:
You must be an administrator with the User Manager Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/group/{name}/accounts |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of accounts collection |
Example B-69 Sample JSON Representation of Accounts Collection
{
"accounts":[
{
"account":{
"accountUID":"16d245784350469cbe25229a7c45af22",
"accountName":"oidperson10",
"targetID":"75a23e9f30ba456b961a1f5d327e67ef",
"targetName":"ldap1_target",
"targetDomain":"needtofix",
"targetType":"ldap"
}
},
{
"account":{
"accountUID":"47671a7a4ebc44c496888aac5423dad1",
"accountName":"oudperson11",
"targetID":"488d6d656b2c4b96a5fd835c131b4c00",
"targetName":"oud_11.115_target",
"targetDomain":"needtofix",
"targetType":"ldap"
}
}
]
}
For attribute definitions, refer to Section B.5, "Target Resource" and Section B.6, "Account Resource."
Use this API to search for groups. This API searches for the searchKeyWord in the group names.
Note:
You must be an administrator with the User Manager Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/group/search/{searchKeyWord} |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status 200 and JSON representation of groups |
Example B-70 Sample JSON Representation of Groups
{
"groups":[
{
"group":{
"name":"opamgroup1",
"description":"",
}
},
{
"group":{
"name":"opamgroup2",
"description":"",
}
},
{
"group":{
"name":"opamsubgroup1",
"description":"",
}
},
{
"group":{
"name":"opamsubgroup2",
"description":"",
}
},
{
"group":{
"name":"OPAM_APPLICATION_CONFIGURATOR",
"description":"OPAM_APPLICATION_CONFIGURATOR",
}
},
{
"group":{
"name":"OPAM_SECURITY_ADMIN",
"description":"OPAM_SECURITY_ADMIN",
}
},
{
"group":{
"name":"OPAM_SECURITY_AUDITOR",
"description":"OPAM_SECURITY_AUDITOR",
}
},
{
"group":{
"name":"OPAM_USER_MANAGER",
"description":"OPAM_USER_MANAGER",
}
}
]
}
For attribute definitions, refer to Section B.9.1, "Get Group."
Use this API to search for groups who have been assigned an account. The request parameter is groupname, which is optional.
Note:
You must be an administrator with the User Manager Admin Role to use this API.
|
URI |
https://opam_server_host:opam_ssl_port/opam/group/advancedsearch?param1=val1¶m2=val2 |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status 200 and JSON representation of groups |
Example B-71 Sample JSON Representation of Groups
{
"groups":[
{
"group":{
"name":"opamgroup1",
"description":"",
}
},
{
"group":{
"name":"opamgroup2",
"description":"",
}
},
{
"group":{
"name":"opamsubgroup1",
"description":"",
}
},
{
"group":{
"name":"opamsubgroup2",
"description":"",
}
},
{
"group":{
"name":"OPAM_APPLICATION_CONFIGURATOR",
"description":"OPAM_APPLICATION_CONFIGURATOR",
}
},
{
"group":{
"name":"OPAM_SECURITY_ADMIN",
"description":"OPAM_SECURITY_ADMIN",
}
},
{
"group":{
"name":"OPAM_SECURITY_AUDITOR",
"description":"OPAM_SECURITY_AUDITOR",
}
},
{
"group":{
"name":"OPAM_USER_MANAGER",
"description":"OPAM_USER_MANAGER",
}
}
]
}
For attribute definitions, refer to Section B.9.1, "Get Group."
The APIs described in this section include:
Use this API to add a plug-in configuration.
|
URI |
https://opam_server_host:opam_ssl_port/opam/plugin |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation of plug-in |
|
Returns on Success |
Status code 201 and Location |
|
Returns on Error |
Example B-72 Sample JSON Representation of Plug-In Configuration Creation
{
"plugin": {
"pluginName":"sampleplugin"
"pluginDescription":"Sample Plugin"
"pluginEnabled": "true"
"pluginResource":"account"
"pluginOperation":"checkout"
"pluginTiming":"post"
"pluginOrder":"10"
"pluginClassName":"EmailNotifyPlugin"
"pluginClassPath":"/u01/plugins/emailplugin.jar"
"pluginEnableGroup":["hrgroup", "itgroup"]
"pluginEnableUser":["admin"]
"pluginEnableResult":"200"
"pluginVersion":"1.0.0"
"pluginFlexSecFields":[
{
"pluginFlexSecField": {
"attrname":"notificationemail"
"attrvalue":"abc@abc.com"
}
}
]
}
}
https://opam_server_host:opam_ssl_port/opam/plugin/9bbcbbb087174ad1900ea691a2573b61
Use this API to validate a plug-in configuration, which includes
Testing the uniqueness of the pluginName
Testing the uniqueness of the pluginResource, pluginOperation, pluginOrder combination
Validating attributes and allowed values
Validating the loading of pluginClassName using the pluginClassPath
|
URI |
https://opam_server_host:opam_ssl_port/opam/plugin/test |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation of plug-in |
|
Returns on Success |
Status code 200 |
|
Returns on Error |
Example B-73 Sample JSON Representation of Plug-In Configuration for Verification
{
"plugin": {
"pluginUID":"9bbcbbb087174ad1900ea691a2573b61"
"pluginName":"sampleplugin"
"pluginDescription":"Sample Plugin"
"pluginEnabled": "true"
"pluginResource":"account"
"pluginOperation":"checkout"
"pluginTiming":"post"
"pluginOrder":"10"
"pluginClassName":"EmailNotifyPlugin"
"pluginClassPath":"/u01/plugins/emailplugin.jar"
"pluginEnableGroup":["hrgroup", "itgroup"]
"pluginEnableUser":["admin"]
"pluginEnableResult":"200"
"pluginVersion":"1.0.0"
"pluginFlexSecFields":[
{
"pluginFlexSecField": {
"attrname":"notificationemail"
"attrvalue":"abc@abc.com"
}
}
]
}
}
Use this API, with any of the following parameters, to search for plug-in configurations:
Name
Description
Enabled
Resource
Operation
Timing
|
URI |
https://opam_server_host:opam_ssl_port/opam/plugin |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of plug-in collection |
https://opam_server_host:opam_ssl_port/opam/plugin
/search?name=email&enabled=true&timing=post
Example B-74 Sample JSON Representation of Plug-In Collection
{"pluginCollection": [
{"plugin": {
"pluginUID":"9bbcbbb087174ad1900ea691a2573b61"
"pluginDescription":"Sample Plugin"
"pluginName":"sampleplugin"
"pluginEnabled": "true"
"pluginResource":"account"
"pluginOperation":"checkout"
"pluginTiming":"post"
"pluginOrder":"10"
"pluginClassName":"EmailNotifyPlugin"
"pluginClassPath":"/u01/plugins/emailplugin.jar"
"pluginEnableGroup":["hrgroup", "itgroup"]
"pluginEnableUser":["admin"]
"pluginEnableResult":"200"
"pluginVersion":"1.0.0"
"pluginFlexSecFields":[
{
"pluginFlexSecField": {
"attrname":"notificationemail"
"attrvalue":"abc@abc.com"
}
}
]
}}
]
}
Use this API to retrieve a plug-in configuration.
|
URI |
https://opam_server_host:opam_ssl_port/opam/plugin |
|---|---|
|
Method |
|
|
Content-Type |
|
|
Body |
|
|
Returns on Success |
Status code 200 and JSON representation of a plug-in |
Example B-75 Sample JSON Representation of Plug-In
{
"plugin": {
"pluginUID":"9bbcbbb087174ad1900ea691a2573b61"
"pluginName":"sampleplugin"
"pluginDescription":"Sample Plugin"
"pluginEnabled": "true"
"pluginResource":"account"
"pluginOperation":"checkout"
"pluginTiming":"post"
"pluginOrder":"10"
"pluginClassName":"EmailNotifyPlugin"
"pluginClassPath":"/u01/plugins/emailplugin.jar"
"pluginEnableGroup":["hrgroup", "itgroup"]
"pluginEnableUser":["admin"]
"pluginEnableResult":"200"
"pluginVersion":"1.0.0"
"pluginFlexSecFields":[
{
"pluginFlexSecField": {
"attrname":"notificationemail"
"attrvalue":"abc@abc.com"
}
}
]
}
}
Use this API to update a plug-in configuration.
|
URI |
https://opam_server_host:opam_ssl_port/opam/plugin/{pluginUID} |
|---|---|
|
Method |
|
|
Content-Type |
application/json |
|
Body |
JSON representation of a plug-in modification |
|
Returns on Success |
Status code 200 |