Disable / Delete OIM Access Policy - OIM11g

Similar Messages

• Is it possible to delete an Access Policy on OIM 11gR2?

  Hello,
  Is it possible to delete an Access Policy on OIM 11gR2?
  I have created an Access Policy and associated it with a Role.
  But now, due to changes, this Role should not trigger an Access Policy anymore.
  I haven't found a way to disassociate the Access Policy from the Role neither a way to delete the unnecessary Access Policy.
  Thanks,
  Adriano.

  Hi,
  As far as I know, deleting an access policy is not possible. One solution would be you can create a dummy role which you will never use and remove your existing role from the access policy and assign this dummy role to the policy and save it. That should stop the auto triggering.
  Thanks,
  $id

• OIM Access Policy Error

  I created an access policy for provisioning a resource and it works fine. But I get the following error when I click on manage and edit the child form fields. Can someone please guide what is this error for?
  2009-04-20 12:57:35,618 ERROR [org.apache.struts.actions.DispatchAction] Request[ManageAccessPolicies] does not contain handler parameter named method
  Thanks!

  What version of OIM are you using? And have you made any changes to the web client? (particularly xlWebAdmin.properties, struts-config.xml or the class files?)
  Deborah

• OIM Access Policy dilemma

  I have a need to use an Access policy for basic account creation but still have a Request workflow for enhanced privileges. The Access Policy needs the Resource and Process forms to both be Auto Pre-populate and auto save. This seems to be a conflicting requirement by the way I understand OIM. Any thoughts on a good work around?
  Kerry

  What version of OIM are you using? And have you made any changes to the web client? (particularly xlWebAdmin.properties, struts-config.xml or the class files?)
  Deborah

• OIM Access Policy OU Updates

  All,
  I am wondering if any you have encountered an issue in OIM where a user’s OU in AD does not change when a new access policy applies to the user with a new OU (the old access policy is no longer valid). I have noticed that child form attributes (groups) are updated with the values from the new access policy, but parent form values such as OU, are not updated.
  The access policies currently do have retrofit selected.
  I also have tried running the “Evaluate User Policies” task with no luck.
  If you have any insight as to how we might resolve or workaround this issue, it would be appreciated.
  Thanks,
  -Derek

  What version of OIM are you using? And have you made any changes to the web client? (particularly xlWebAdmin.properties, struts-config.xml or the class files?)
  Deborah

• OIM Access Policy API

  Hi All
  For oIM 10g, I am looking for an API that can mark the "Revoke If No Longer Applies" flag for all the resources of existing Access Policies.
  Any help!

  Yes. Try this API call -
  updateAccessPolicy
  public void updateAccessPolicy(Thor.API.tcResultSet accessPolicyResultSet,
  java.util.Map attributeList)
  throws Thor.API.Exceptions.tcPolicyNotFoundException,
  Thor.API.Exceptions.tcInvalidAttributeException,
  Thor.API.Exceptions.tcAPIException,
  tcAPIException
  This method updates the attributes of an access policy
  Parameters:
  accessPolicyResultSet - A result set containing at the minimum the access policy key and the rowver of the policy record to update.
  attributeList - A map of name-value pairs, each entry holding an attribute-value pair to set/modify for this access policy. The Attribute names are the String column codes (from the Xellerate metadata). The Attribute Values are the String attributes of the columns to set:
  * Access Policies.Description
  * Access Policies.Name
  * Access Policies.Key
  Throws:
  tcPolicyNotFoundException - if the policy is not in the database
  tcInvalidAttributeException - raise if one of the attributes is not a valid attribute
  tcAPIException - if there is an error retrieving information

• OIM access policy not evaluating a boolean

  I have a test for a boolean in Access Policy
  booleanvariable == true
  but it does not evaluate
  I tried booleanvariable == 1
  and this does not work either.
  If I have a string field instead of a boolean, then it works
  stringvariable == TRUE
  this works.
  Is there something wrong with booleans in Access Policy?

  I'm currently using Boolean with access policies, though maybe a little different.
  In the OIM Design Console, I've created a rule (Resource Management -> Rule Designer) named TestRule
  Add Element:
  - Attribute: booleanvariable
  - Operation: ==
  - Attribute Value: 1
  I have groups that mirror access policies, so let's say that we've also created a group (User Groups->Create via OIM AU Console - Web)
  - Under 'Membership Rules' in the dropdown box for group details, assign the rule you just created
  - Then under 'Access Policies' add the policy you created under Access Policies -> Manage
  Then when a user is in OIM with booleanvariable checked, the Access Policy is applied to that user.

• Unable to provision to an RO through OIM access policy

  Hi All,
  We have created a group membership and attached it to an access policy which does provisioning for a particular RO.
  When we try to use this, the provisioning process gets stuck in "System Validation" state.
  However, provisioning manually works perfectly fine.
  Is the server looking for something while it tries to provision?
  Thanks!

  Make sure all your required fields are being populated correctly. If you have any checkboxes, make sure they get a 1 or 0 default value. Check the auto save checkbox on your provisioning process definition.
  -Kevin

• Create Access Policy with OIM API: can't fill child form

  Hi!
  I'm having a problem with creating OIM Access Policy with API. I'm doing the following:
  1. Create a new access policy via AccessPolicyIntf
  2. Add a resource object which will be provisioned to all users who are within policy scope
  3. Get Resource Object (Parent) Form Definition via FormDefinitionIntf
  4. Add data to parent form (AccessPolicyIntf setFormData(FormDefinitionKey))
  5. Now I want to add data to the child form, for that purpose I need to know child form definition key, but I can' get one, because there's no method like 'getChildFormDefinitionKey' in FormDefinitionIntf interface.
  Please, help me to get child form definition key, knowing parent form definition key and version

  See if this code helps:
  public String addChildTableValue(long userKey, String group, String objectName, String fieldName tcDataProvider ioDatabase) {
  log.debug("addChildTableValue() Parameter Variables passed are:" +
  "userKey=[" + userKey + "]" +
  "group=[" + group + "]" +
  "fieldName=[" + fieldName + "]" +
  "objectName=[" + objectName + "]");
  try{
  tcUserOperationsIntf userIntf = (tcUserOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcUserOperationsIntf");
  tcFormInstanceOperationsIntf formIntf = (tcFormInstanceOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcFormInstanceOperationsIntf");
  boolean roleExists = false;
  //Result set of all Object for user
  tcResultSet obResultSet = userIntf.getObjects(userKey);
  if (obResultSet.isEmpty()){
  log.error("User has no provisioned objects");
  return "NO_OBJECTS_EXIST";
  }else{
  for (int ii=0; ii<obResultSet.getRowCount(); ii++){
  obResultSet.goToRow(ii);
  if ((obResultSet.getStringValue("Objects.Name").equals(objectName)) &&
  (!(obResultSet.getStringValue("Objects.Object Status.Status").equals("Revoked")) &&
  !(obResultSet.getStringValue("Objects.Object Status.Status").equals("Provisioning")))){
  log.debug("Resource object found: " + objectName);
  //Process Instance Key of the object
  long plProcessInstanceKey = obResultSet.getLongValue("Process Instance.Key");
  log.debug("Process instance key: " + plProcessInstanceKey);
  //Process Key for the parent for
  long plParentFormDefinitionKey = obResultSet.getLongValue("Process.Process Definition.Process Form Key");
  log.debug("Parent form definition key: " + plParentFormDefinitionKey);
  //Form version of the parent form
  int pnParentFormVersion = formIntf.getProcessFormVersion(plProcessInstanceKey);
  log.debug("Parent form version: " + pnParentFormVersion);
  //Result set of Child Form information
  tcResultSet childFormResultSet = formIntf.getChildFormDefinition(plParentFormDefinitionKey, pnParentFormVersion);
  //Child form definition key
  long plChildFormDefinitionKey = childFormResultSet.getLongValue("Structure Utility.Child Tables.Child Key");
  String plChildTableName = childFormResultSet.getStringValue("Structure Utility.Table Name");
  log.debug("Child form definition key: " + plChildFormDefinitionKey);
  log.debug("Child table name: " + plChildTableName);
  tcResultSet childFormData = formIntf.getProcessFormChildData(plChildFormDefinitionKey, plProcessInstanceKey);
  if (!(childFormData.isEmpty())){
  log.debug("Searching child table current values");
  for (int iii=0; iii<childFormData.getRowCount();iii++){
  childFormData.goToRow(iii);
  String fieldValue = childFormData.getStringValue(fieldName);
  log.debug("Child table entry: " + iii + " | value: " + fieldValue);
  if (fieldValue.equals(group)){
  roleExists = true;
  log.debug("Value already exists in child table");
  return "DUPLICATE_VALUE";
  log.debug("Value not found in child table");
  if (!roleExists){
  Hashtable childFormHash = new Hashtable();
  childFormHash.put(fieldName, group);
  formIntf.addProcessFormChildData(plChildFormDefinitionKey, plProcessInstanceKey, childFormHash);
  log.debug("Value successfully added to table");
  return "VALUE_ADDED";
  log.debug("Provisioned resource " + objectName + " object not found");
  return "OBJECT_NOT_FOUND";
  catch(Exception ex){
  ex.printStackTrace();
  return "ERROR";

• AD Access Policy Update or Revoke Not Happening

  Hi
  Problem:
  I am automating the AD user Provisioning through OIM Access Policy. I am able to provision user in AD, But the provisioned user is not visible in Resources tab. If anything is modified OIM attributes and that are not transferring from OIM to AD User Process Form. If I removed User from the Role, The user was not revoked from the AD.
  Configuration:
  I have created the following task to automate the user provisioning. They are
  1) Rule
  Name: ALL AD Users
  Rule Criteria : User Login != NULL
  2) Role
  Name : AD Role
  Member Ship Rule : ALL AD Users
  3) Access Policy:
  Access Policy Information Provided
  Access Policy Name:      AD Access Policy
  Access Policy Description:      AD Access Policy
  With Approval:      No
  Retrofit Access Policy:      Yes
  Priority:1
  Resources to be provisioned by this access policy
  Resource Name: AD User
  Revoke resource and entitlement(s) if no longer applies: Checked
  Process Forms: AD User Details
  AD User form details are populating through pre-populate adapter in create and Change <FieldName> populating in update Operation.
  Role           
  Name : AD Role
  I couldn't see any error in the AD Connector log file.
  Do I need to do anything apart from AD Access Policy to view the resource in Resource TAB, and also Updating the user attributes ( Change Process Tasks are configured), and Revoke.
  Help is greatly appreciated.

  What do you mean by this statement :
  But the provisioned user is not visible in Resources tabDo you mean that when you go to Resource Profile of a user then you can't see AD User is provisioned to that user ?
  Check "Auto Save" check box on "AD User" Process Defintion
  Add one user into that Role explicitly into that Role/Group
  Resources to be provisioned by this access policyI hope you are giving values for AD Server and Organization Name on the process form in this section.
  Enable the logs as well whether AD User tasks are getting called or not
  And
  For sending Modified Attributes to AD, have you create corresponding tasks like Change First Name, Change Last Name etc in AD User Process Defintion and made its entry in Trigger Lookup ?
  If yes then it will work only when you'll see AD User in Provisioned/Enables status in User's Resource Profile
  Let me know the results

• [OIM 9.1.0.2] Access Policy being evaluated to an OIM user disabled.

  Hi Gurus,
  I have an Access Policy being evaluated and provisioning resource (AD) to an OIM user disabled.
  Any tip on what I should take a look?
  Thanks in advance.

  Hi all,
  I have configured out the XL.EvaluateMembershipForInactiveUser System Property as TRUE, but the membership rule does not get evaluated for disabled users. So the user still remain into the group. I have restarted the OIM.
  I need to active the Evaluate User Policies schedule task for this configuration be effective. Or should I do something more?
  Thanks a lot.

• [OIM 9.1.0.2] RESOURCE NOT REVOKED BY ACCESS POLICY WHEN USER DISABLED

  Hi Experts,
  OIM Build Number: 1866.62 ( BP15 )
  IHAC that faced an unexpected behavior on User disabling.
  Some users were associated to groups that had access policies applied.
  When those users were disabled, they didnt lose their associated groups and also the resource and permission associated thru access policy applied to those groups.
  I saw that there was a bug reported to that issue. So I performed the action plan and set up the XL.EvaluateMembershipForInactiveUser System Property as TRUE. Now after disabling the users are properly removed from groups.
  Customer problem: For those users, almost 1000, I did a recon just to estimule the identity, so the membership rule was applied and the groups were removed, but OIM didn't evaluate the access policies and didn't revoke the resources.
  I ran the Evaluate User Policies task, and it seems to be stuck. Should the Evaluate User Policies schedule task work for that scenario? Should the resource after running that task be revoked?
  Any help would be very appreciated.

  Hi Nishith,
  I ran the task, but it seems really stuck. It displays the RUNNING status, but any effect is observed. I have to change task status to INACTIVE in the Design Console.
  This task has 2 attributes: Batch Size= 500 and Number of Threads=20.
  But I have noticed this task in another environment (w/ BP 18 applied), it has 3 attributes: Batch Size= 500 ; Number of Threads=20 and Time Limit in mins=1.
  Is it any enhancement for this task in order to improve its performance, or something like that?
  What else I can check?
  Thanks in advance.

• Disable Delete Button in Administrator Tab of OIM 11g

  Hi All,
  When we open a user in Administration tab, there are buttons like Lock/Unloc Account , Enable/Disable ,Delete button.
  I want to disable the delete button for all Users. No user should be able to delete the user in OIM.
  Please suggest an appropriate way....if any one has already tried....
  Thanks!!
  Awaiting Respose,
  Regards,
  T

  once login OIM with normal user it want allow you to disable/delete operation.
  Else for better usage use authorization policy. create a group/role and provide certain privilege to that group using authorization policy.
  --nayan                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Help Required With Access Policy Trigger On Enable User In Oim 11gR2

  My scenario is:
  We have a created a access policy for the user.
  Scenario1:
  As soon as the role is added to user, the account is provisioned.  -Working
  Scenario 2:
  As the user is disabled, the account gets revoked-Working
  Scenario 3:
  As the user is enabled, the new instance of the account should get provisioned.(It was earlier working in 11G r1)
  "Evaluate User Policies " is running every ten minutes.Manually also triggered it. but the account doesn't get provisioned after the user is enabled.
  Any inputs?
  Please help

  Your Scenario 2:
  As the user is disabled, the account gets revoked-Working ----> ITS WRONG if you are using OOTB feature of OIM
  -> When the user gets disabled, the accounts should get disabled. The result which u are getting above is not OOTB. Have you made any customization to any logic?
  Just for your info, there is one system property which is used to enable disabled resources when the user is enabled:
  http://docs.oracle.com/cd/E27559_01/admin.1112/e27149/system_props.htm#OMADM884
  Enable disabled resource instances when a user is enabled
  If the value is TRUE, then the disabled resource instances are enabled when a user is enabled.
  XL.EnableDisabledResources
  TRUE

• Disable AD account with access policy

  Hi all,
  how can I disable AD account with access policy (or create AD account in disabled state)
  Regards,
  Vladimir

  Dewan.Rajiv wrote:
  Access Polcies are just for triggering provisioning. You can custom AD connector or write your own to create user in disabled state using JNDI.Hi Dewan,
  I have to create a simple demo system, and I need a solution which is not too weird (that means use as little of disparate technologies as possible).
  I have two connected systems:
  1. HR system, which is a trusted source for user and organizational data.
  2. AD system, which is my provision destination.
  I want to comply to the following requirements:
  1. When a user is created in HR system, a new OIM account shall be created, and a new AD account shall or shall not (depending on HR data) be created in AD in disabled state
  2. When a user is marked as dismissed in HR system, the AD account if exists, shall be disabled and moved to some special place in AD tree.
  3. Same rules shall apply if the OIM account is created or marked as "Dismissed" manually by OIM administrator.
  I use OIM reconciliation to get source data and it is no problem for me to create any reconciliation event I need.
  I was considering creating Group->Access Policy->Resource chains, but Access Policy allows only to manage AD attributes, not account enable status.
  Or should I add some unmapped pseudo-attribute to AD connector and a task which will enable/disable AD account based on the value of this attribute?
  What other options do I have?
  Regards,
  Vladimir