Access Policy and Process Task

Hi,
I created "access policies" to provision resources when a user is associated with a role with the name of this resource.
When I manually assign the role, the access policy works properly and the resource is provisioned.
When the role is assigned through a process task, the access policy does not work properly and the resource is not created.
Why this happens?
How can I make the process task trigger the access policy when assign the role?
TKS
Edited by: raraujo on Oct 15, 2012 3:36 AM

Better assign Role using group membership rule. Also, can you check if role is assigned using process task, is it getting assigned to user properly?
Which OIM you are using? If it's 11.1.1.5 then apply BP03 patch or BP04 patch.
regards,
GP

Similar Messages

  • In Cisco IronPort WSA, what is the difference of an Access Policy, and an Identity?

    Hi Everyone,
    I am currently setting up a custom access for a particular subnet.
    What I did is to create a new identity for them, then allowed only specific URL categories for them. Note that the subnet is already allowed to access the internet through Global access policy.
    What will be the difference if I rather created a new Access Policy for the subnet?
    And technically, what's the difference of an Access Policy and an Identity?

    This was not my question. I asked if using the Marginal in Printing will you have a frame around the image?
    I think you're confused about which thread you are posting to.  "Wully bully" started this thread by asking about identify plates and watermarks, and I replied to Wully bully's post.
    Nevertheless, your question too about printing is best asked in the main LR forum, not here.

  • ISE Admin Menu Access Policy and Network Resources

    Hello Board,
    Does someone experience the same issue as me, if using an Admin Menu Access Policy?
    First of all, I'm using the latest ISE release (1.1.3.124 with patch 1).
    I created a custom Administrator Menu Access Policy (Admin Access -> Authorization -> Permissions -> Menu Access).
    But basically I allowed (show) all menu items.
    Then I bind this permission profile to an Admin Authorization Policy
    Everything works very well, but I have issues, if I want to administer "Network Resources", if I'm using this admin menu access
    - In "Network Devices", there is no Menu bar (no "add", "delete" or "edit" button)
    - In "Network Device Groups", there is just the folder "Groups" on the left side, but there is no way to create anything or navigate into the groups
    I'm not quite sure if this is a configuration fault on my side or just some kind of bug.
    By the way - I'm using the latest firefox.

    As far as I know everything seems fine to me from the configuration  side. You can try downgrading the ISE version to 1.1.2 patch 5 and also  try changing the browser which might help.

  • Access Policy and Resources -11gR2

    Hi all,
    I have create an Access policy in 11gR2, its working fine and as per requirement the Resource is getting provisioned / revoked properly.
    In *11gR1* resources provisioned through the Access policy were used to be displayed / listed in the User's Resources tab, In *11gR2* the resources provisioned by Access Policy are not being displayed / listed in under the Accounts tab. is it the default behavior of 11gR2? or some bug? or I need to make any configurations to have it displayed here?
    Regards

    nothing special has to do for showing under Accounts tab. Have you created *'Application Instance'* for the Resource. You have to create Application Instance and run the "catalog sync' job. and once Application Instance is provisioned to user. It will be available under Accounts tab.
    Follow 11gr2 doc for creating application instance
    http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/resmgt.htm#CBBFAIEC

  • Fair Access Policy and Ipod...I Need Help!!

    I am having such trouble getting videos to download to my Ipod. I use Direcway for my internet service and they have some policy that only allows a certain amount of download time (169mg in 4hrs?) called Fair Access Policy..its a bunch of crap if you ask me..http://www.copperhead.cc/fap.htm
    So anyhow..I have been trying to down load the first part of Lost for 5 days now and it gets almost to the end and I get a error code -39 and it stops everything. I don't know what else to do. I called direcway and they said to download a download messenger?? does something like this work with Ipod?
    Also, I have purchased songs that are in line for download and I can't get them to download cause I can't get them past the Lost download...
    I really don't know what to do..
    Does anyone know how to stop the start of Lost so I can get the songs that are in line??
    Thanks and I hope this wasn't to confusing..
    Kathy

    First you will need to install iTunes if you have not already.
    Second to reset the iPod back to factory settings you will need to connect the iPod to the computer then open iTunes. In iTunes select the iPod and goto the Summary tab which should be the first one to open. Below the Check for Update button click on Restore. This will reset the iPod back to factory settings so you can start fresh.

  • OIM 11g R2 - AD provisioning based on Role and Access Policy

    Hi, for Active Direcotry integration i used some prepopulation plugin for populationg resource form (based on http://fusionsecurity.blogspot.sk/2013/01/populating-request-attributes-in-oim.html).
    It's work fine - requested account was fully provisioned.
    Can i use this plugins for Role based provisioning?
    I try to create access policy and associated role but when attached the role to the user and run Evaluate User Policies Job, account can't be provisioned.
    In diagnostic.log i found.....
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Immediate consequences are returned with event - InitiatePolicyEvaluationAndProvisioning
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Next Waiting child process is ..........6380 sync = false
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] First Waiting child process is ..........6380
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel executing default validation with process id, event id, entity and operation 6,380.0.Resource.ACCESS_POLICY_BASED_PROVISION
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel completed the child orchestration - 6380.6379
    [oracle.iam.platform.kernel.dao] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Inserting records for orchestration cleanup
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Completed orchestration with action result - 113

    Hi, all
    I try to fill Access policy Process Form. Account request was created and provisioned when field AD Server and Organization Name was filled in, but pre-population plugin doesn't fired
    The question is.... How can i use pre-population plugin for populating request dataset used with request generated by access policy....
    Is it possible to use plugins for requests generated based on access policy?
    a.

  • How to prepopulate child process form in access policy

    Hi,
    I have different groups in access policy and corresponding to each group we have different roles. This group and role mapping is stored in a lookup.I have to fetch the value from the lookup to the process form child table according to the group assigned.
    Please suggest how to do this.
    Thanks in Advance.

    I had similar requirement like yours in my previous project. Check the code below and modify the same to suit your requirement.
    public void AddProcessChildData(long pKey, tcDataProvider tcdp, String lookupName, String Role, String childTableCoulmnName ) throws Exception {
              try {
                   if(Role.trim().length()!=0)
                   tcLookupOperationsIntf lookupIntf = (tcLookupOperationsIntf)tcUtilityFactory.getUtility (tcdp, "Thor.API.Operations.tcLookupOperationsIntf");
              tcFormInstanceOperationsIntf f = (tcFormInstanceOperationsIntf)tcUtilityFactory.getUtility(tcdp, "Thor.API.Operations.tcFormInstanceOperationsIntf");
              tcResultSet lookupRes = lookupIntf.getLookupValuesForEncoded(lookupName, Role);
              tcResultSet childFormDef = f.getChildFormDefinition(f.getProcessFormDefinitionKey(pKey),f.getProcessFormVersion(pKey));
              long childKey = childFormDef.getLongValue("Structure Utility.Child Tables.Child Key");
              logger.info("Child Key::"+childKey);
              Map attrChildData = new HashMap();
              logger.info("No of Rows::"+lookupRes.getRowCount());
              for(int i=0;i<lookupRes.getRowCount();i++)
                   lookupRes.goToRow(i);
                   String Decoded = lookupRes.getStringValue("Lookup Definition.Lookup Code Information.Decode").trim();
                   logger.info("Decoded Value::"+Decoded);
                   attrChildData .put(childTableCoulmnName,Decoded);
              f.addProcessFormChildData(childKey,pKey,attrChildData);
                   else
                        logger.info("User does not have any role. Can not add Child Data");
              }catch (Exception e){
              e.printStackTrace();

  • OIM iPlanet Resource revoked using access policy

    Hi,
    I had created a group and access policy based upon which i tried to provisioned a iplanet resource to a user.
    For this I had created a UDF(say type with value C) and created a rule based on which user is assigned to group say business and also iPlanet resource is provisioned to user
    As I Edit the profile and clear UDF. User is removed from group and also iPlanet resource is revoked.(In Access Policy revoked if no longer applied)
    I am able to do this task Successfully But If iPlanet resource is already allocated to user and I update the UDF(value C) user is assigned to group and iplanet is already assigned to user(muliple resource UNTICK). and now if i again Updated the UDF(mean clear it) user is removed from the group but iPlanet resource is not revoked from the user......
    Can somebody tell me why it is happening??? wheather its a bug in OIM or I am missing something...
    Thanks
    Anil

    If I understand your requirement correctly, when you change the value in process form edit from C to other, iPlanet resource is getting revoked.
    But when you change the the same value from user profile edit, the iplanet is not getting revoked right?
    As per my knowledge I can say, when you update the value for UDF in user profile, you can use triggers USR.TRIGGERS which will update the process form. In this case your process form will gets updated by default.
    This in turn triggers access policy and revokes the resource.
    Hope this helps you

  • Provision to target system via access policy

    I am attempting to provision to Active Directory via an access policy and membership rule in OIM11gR2.  I have a couple different issues associated with this process. 
    First,  I have a membership rule that works fine.  All members of a certain organization are automatically assigned a certain role.  My access policy is set to provision an AD account to any member that is assigned the same role from the membership rule.  This access policy does not seem to get triggered.  The access policy is set to run with no approval, retrofit access policy is enabled, and it is set as priority 1 with "revoke if no longer applies" checked.  It is also assigned the Active Directory Users process form.  I cannot determine why this access policy is not being triggered to provision the role members to AD.  I have manually run the Evaluate Users Policies several times with no affect. 
    I believe this may be happening because the default prepopulate adapters are not working or are not configured correctly.   The 5 mandatory fields each have a prepopulate adapter assigned to them with the Default rule.  Correct me if I am wrong, but I believe the mandatory fields user id, first name, last name, common name, and user principal name?  The Org name and IT Resource are set as static values within the access policy.  Can anyone assist me in determining (1) why the access policy is not working and (2) why the prepopulate adapters such as ADIDC Populate Form Field for User ID and ADIDC Prepopulate UserPrincipalName for User Principal Name are not working?  Is there additional configuration that must take place with these out-of-the box adapters so they know which values to populate?

    Just verify whether following are check in AD prcess Defn:
    Auto Save Form
    This check box is used to designate whether Oracle Identity Manager should suppress display of the custom form associated with this provisioning process or display it and allow a user to supply it with data each time the process is instantiated.If you select this check box, it designates that Oracle Identity Manager should automatically save the data in the custom process form without first displaying the form. If you select this checkbox, you must supply either system-defined data or ensure that an adapter is configured to populate the form with the required data (since the user will not be able to access the form).If you clear this check box, it designates that Oracle Identity Manager should display the custom process form and allow users to enter data into its fields.
    Auto Pre-Populate
    This check box designates whether the fields of a custom form that:
    Are associated with the process
    Contain fields that have pre-populated adapters attached to them
    Also, while running "Evaluate User Policy" , clear the old time stamp and populate it with current time. Sometime I have seen people are doing mistake.
    ~J

  • 8.0.6-119 on S160 can no longer see past the second access policy

    We upgraded an S160 to 8.0.6-119 today and now the appliance is not authenticating groups beyond restricted internet and information technology.  For example Access Policy #6 is called Marketing.  It has access to Streaming Media and Social Media (like youtube, facebook, twitter).  They are the marketing department that needs this access to do their job.  The identity policy is authenticated_users but it keeps falling under the last access policy "Global Access Policy" which results in request blocked based on URL category.
    I just don't get it.  Authenticated Users is selected to windows realm which the wsa joined to the domain and has 3 DC's and a CDA virtual appliance tied to it.  I don't see that being the issue because the policy trace correctly brings back all AD groups the user is tied to.  The scheme is Use Kerberos or NTLMSSP.  
    Next under access policies there are 14 of them before the global policy.  They are all authenticated users and pointed to the proper active directory groups.  Marketing is 6 out of 14 (not counting the non-numbered Global Policy at the bottom).
    So what could the issue be?

    I opened a case with TAC but have not heard back.  However it seems things are working now.  Perhaps they contacted in and corrected an issue but haven't had the chance to tell me what they did.  I have remote access enabled for Cisco TAC.
    Now when I do the policy trace, It actually applies the Marketing access policy, and AVC actually see's this is Facebook General (Facebook) in this case.  Before I think it said none for everything and access policy was global.

  • Server does not support setting more than 5 shared access policy identifiers on a single container

    Hi,
    I upload a video file to a new Asset. I then attempt to create a streaming URL by creating an Access Policy and then a Locator, which I use to generate the URL used for streaming.This works great. Until the 6th time you execute
    that code against the same Asset. Then you receive this error:
    "Server does not support setting more than 5 shared access policy identifiers on a single container."
    So, that's fine. I don't need to create a new AccessPolicy everytime, I can reuse the one I've created previously, build a Locator using that same policy. However, even then, I get the error about 5 shared access policies on a single container.
    Is this the Lmitation of media service? or am I missing something?
    Following is the code I used for this:
    if (AssetId != "")
                    inputAsset = (from a in _context.Assets
                                  where a.Id == AssetId
                                  select a).FirstOrDefault();
                    policy= (from a in _context.AccessPolicies where a.Name==inputAsset.Name select a).FirstOrDefault();
                    var assetFile = inputAsset.AssetFiles.Create(Path.GetFileName(singleFilePath));
                    var locator = _context.Locators.CreateLocator(LocatorType.Sas, inputAsset, policy);
                    assetFile.Upload(singleFilePath);
                    locator.Delete();
                    MediaElement media = new MediaElement();
                    media.AssetId = inputAsset.Id;
                    media.Title = Path.GetFileName(singleFilePath);
                    var result = Save(media, singleFilePath);
                    return inputAsset;
                else
                    inputAsset = _context.Assets.Create(User.Identity.Name, AssetCreationOptions.None);
                     policy = _context.AccessPolicies.Create(
                                        inputAsset.Name,
                                        TimeSpan.FromDays(30),
                                        AccessPermissions.Write | AccessPermissions.List
    | AccessPermissions.Read | AccessPermissions.Delete);
                     var assetFile = inputAsset.AssetFiles.Create(Path.GetFileName(singleFilePath));
                     var locator = _context.Locators.CreateLocator(LocatorType.Sas, inputAsset, policy);
                     assetFile.Upload(singleFilePath);
                     locator.Delete();
                     policy.Delete();
                     MediaElement media = new MediaElement();
                     media.AssetId = inputAsset.Id;
                     media.Title = Path.GetFileName(singleFilePath);
                     var result = Save(media, singleFilePath);
                     return inputAsset;

    Hi,
    I found some information related to
    Stored Access Policy , Shared Access Signatures   please check if it helps.
    Regards,
    Shirisha Paderu.

  • Dependent process task is not triggering - OIM 11.1.2

    Hi All,
    In 'AD User' process definition, I have added a process task 'send email' which will send a e-mail notification on User profile location change.
    I made it a dependent task of 'Change AD OU' (process defined by me, triggers when user profile location is changed).
    Test performed
    1) changed User profile location attribute from identity self service.
    Test Result
    1) User profile Location is  updated.
    2) 'Change AD OU' process task is triggered and executed successfully. And process task returned success and the status value is 'C'
    3) Dependent task 'send email' is not triggered.
    Verified following
    1) both process task are made unconditional.
    Please help me in knowing, why the dependent task is not being triggered.
    Thanks in advance
    Praveen

    Hi Rajiv,
    Thanks for reply.
    I configured it according the link provided.
    Now facing below issue.
    When I changed first name of a user from identity console, 'Change First Name' process task is triggered and is assigned to XELSYSADM (coz, in the assignment tab I added only XELSYSAD). But the status of the process task is Rejected. Also, the changed 'First Name' value is not updated in the process form of the user. Hence the change is not reflected into AD.
    Please tell me why the status is Rejected and changes are not reflecting.
    Also, Please provide the solution to auto provision the modifications into AD.
    Thanks in Advance.

  • Is it possible to delete an Access Policy on OIM 11gR2?

    Hello,
    Is it possible to delete an Access Policy on OIM 11gR2?
    I have created an Access Policy and associated it with a Role.
    But now, due to changes, this Role should not trigger an Access Policy anymore.
    I haven't found a way to disassociate the Access Policy from the Role neither a way to delete the unnecessary Access Policy.
    Thanks,
    Adriano.

    Hi,
    As far as I know, deleting an access policy is not possible. One solution would be you can create a dummy role which you will never use and remove your existing role from the access policy and assign this dummy role to the policy and save it. That should stop the auto triggering.
    Thanks,
    $id

  • How to protect both access (http and https) with a Policy Agent

    Hi,
    During the installation of a web Policy Agent (i.e. Policy Agent for IIS) we have to choose the protocol (and port) of the web server we want to protect.
    If we have an IIS with secure (https) and non secure (http) applications, how we manage this scenario with the policy agent?
    Regards,

    Hi,
    Finally, i have installed the agent in IIS5 in the non secure port (http) and in fact it detects both access (http and https) fine.
    The problem now is that if i try to access to a non secure url ( http://mynonsecureapp.com ) all works fine, the agent redirects to https://myaccessmanager.com:443/amserver/UI/Login?goto=http://mynonsecureapp.com but when i try to access to a secure url ( https://mysecureapp.com ) the agent try to redirects me to: https://myaccessmanager.com:443/amserver/UI/Login?goto=http://mysecureapp.com (notice that the agent removes the 's' in the url).
    The amAgent log file shows:
    +2008-07-17 09:44:08.296MaxDebug 656:d8f6b0 PolicyAgent: am_web_is_notification(), https://sigcit.agp.gva.es:443/fullcitriweb is not notification url http://sigcit.agp.gva.es:80/amagent/UpdateAgentCacheServlet?shortcircuit=false.+
    +2008-07-17 09:44:08.296 Warning 656:d8f6b0 PolicyAgent: OnPreprocHeaders(): Access Manager Cookie not found.+
    +2008-07-17 09:44:08.296 Debug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): url 'https://sigcit.agp.gva.es:443/fullcitriweb' path_info ''.+
    +2008-07-17 09:44:08.296MaxDebug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): processing url http://sigcit.agp.gva.es:80/fullcitriweb.+
    +2008-07-17 09:44:08.296 Debug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): client_ip 172.27.65.62 not found in client ip not enforced list+
    Any ideas?
    Regards,
    Edited by: idm_oceanic on Jul 17, 2008 1:33 AM

  • How to get the data from mysql database which is being accessed by a PHP application and process the data locally in adobe air application and finally commit the changes back in to mysql database through the PHP application.

    How to get the data from mysql database which is being accessed by a PHP application and process the data locally in adobe air application and finally commit the changes back in to mysql database through the PHP application.

    If the data is on a remote server (for example, PHP running on a web server, talking to a MySQL server) then you do this in an AIR application the same way you would do it with any Flex application (or ajax application, if you're building your AIR app in HTML/JS).
    That's a broad answer, but in fact there are lots of ways to communicate between Flex and PHP. The most common and best in most cases is to use AMFPHP (http://amfphp.org/) or the new ZEND AMF support in the Zend Framework.
    This page is a good starting point for learning about Flex and PHP communication:
    http://www.adobe.com/devnet/flex/flex_php.html
    Also, in Flash Builder 4 they've added a lot of remote-data-connection functionality, including a lot that's designed for PHP. Take a look at the Flash Builder 4 public beta for more on that: http://labs.adobe.com/technologies/flashbuilder4/

Maybe you are looking for

  • Crashes on multiple machines

    Is anyone else experiencing the following crashes? [1] on Windows xp , pentium 4/ 1.6GHz /768mb when App starts (never get to see the applicationInterface) Unrecoverable Error Flash Mediaencoder.exe v(1.0.0.397) experienced the exception 0xc0000005 E

  • My cd/dvd drive wont work what do i do ?

    i own a hp pavilion dm4 -3055dx. my cd/dvd drive wont work, what do i ? besides itunes freezes media player freezes. nero wont respond. how do resolve these ?

  • Error When upgrading i-tunes

    Right i just brought a new ipod nano which needs i-tunes 7.4 to use it. when upgrading my old i-tunes on my laptop(not connected to the internet) it sets it up to the point where it says 'stopping services' then it comes up with an error message sayi

  • Each time I turn on ipad it is Telling me siri not available connect to to the internet

    each time I turn on ipad it is telling me siri is not available connect to the interner. also I cannot slide to open

  • Performance Point Decomposition Tree does not Showing the Any Dimensions

    Hi,  Actually i have created three (dimension) filters in Dashboard which is associated with Analytic grid. Among those three dimension two of them in Analytic Chart 'Bottom axis' remaining one dimension in Analytic Chart 'Background'. Now the decomp