Is it possible to delete an Access Policy on OIM 11gR2?

Hello,
Is it possible to delete an Access Policy on OIM 11gR2?
I have created an Access Policy and associated it with a Role.
But now, due to changes, this Role should not trigger an Access Policy anymore.
I haven't found a way to disassociate the Access Policy from the Role neither a way to delete the unnecessary Access Policy.
Thanks,
Adriano.

Hi,
As far as I know, deleting an access policy is not possible. One solution would be you can create a dummy role which you will never use and remove your existing role from the access policy and assign this dummy role to the policy and save it. That should stop the auto triggering.
Thanks,
$id

Similar Messages

  • How to track a request id through an access policy in OIM

    lets say User-A requests a job role on behalf of User-B and this job role has a access policy attached to it, to provision the user to AD and SAP.
    Now we want an email sent to user-A (i.e the user-A who is responsible for job role assignment which made the access policy to trigger the provisioning of User-B to the SAP ) once User-B is provisioned to an Resource for the first time.

    You can find the personA usr_key from upp and upd table.
    In upp table it is Coulmn name UPP_UPDATEBY
    In upd table Coulmn name is UPD_CREATEBY
    and for the status check the coulmns (UPD_ALLOW_LIST,UPP_ALLOW_LIST)
    Thanks..
    Edited by: IDMuser19 on Sep 2, 2010 3:27 PM

  • Provision Entitlements using Access Policy in OIM & OIA

    Hi All,
    Access policies in OIM does not allow entitlements definition in it such as defining the AD Groups that needs to be attached to the account which would be provisioned on the target resource when the access policy gets triggered. These entitlements definition in OIM is taken care on the Process Form level, whereas in case of OIA the Provisioning polices allow entitlements definition according the resource type in the policy level. It would be of great help if you could help us in understanding how the import and export of access policy data between OIA and OIM would be feasible with these differences in place
    Appreciate any helpful pointer on this.
    Thanks,
    RPB
    Message was edited by: RPB25

    You can edit the Access Policy, select the Resource added-Provide more information, If it has a child table, you can add entitlement to it. you can also add entitlement while exporting OIA policies using accesspolicy api of OIM. But just chek after importing to OIM, the access policies order will be messed.
    sjit

  • Access Policy and Resources -11gR2

    Hi all,
    I have create an Access policy in 11gR2, its working fine and as per requirement the Resource is getting provisioned / revoked properly.
    In *11gR1* resources provisioned through the Access policy were used to be displayed / listed in the User's Resources tab, In *11gR2* the resources provisioned by Access Policy are not being displayed / listed in under the Accounts tab. is it the default behavior of 11gR2? or some bug? or I need to make any configurations to have it displayed here?
    Regards

    nothing special has to do for showing under Accounts tab. Have you created *'Application Instance'* for the Resource. You have to create Application Instance and run the "catalog sync' job. and once Application Instance is provisioned to user. It will be available under Accounts tab.
    Follow 11gr2 doc for creating application instance
    http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/resmgt.htm#CBBFAIEC

  • Create Access Policy with OIM API: can't fill child form

    Hi!
    I'm having a problem with creating OIM Access Policy with API. I'm doing the following:
    1. Create a new access policy via AccessPolicyIntf
    2. Add a resource object which will be provisioned to all users who are within policy scope
    3. Get Resource Object (Parent) Form Definition via FormDefinitionIntf
    4. Add data to parent form (AccessPolicyIntf setFormData(FormDefinitionKey))
    5. Now I want to add data to the child form, for that purpose I need to know child form definition key, but I can' get one, because there's no method like 'getChildFormDefinitionKey' in FormDefinitionIntf interface.
    Please, help me to get child form definition key, knowing parent form definition key and version

    See if this code helps:
    public String addChildTableValue(long userKey, String group, String objectName, String fieldName tcDataProvider ioDatabase) {
    log.debug("addChildTableValue() Parameter Variables passed are:" +
    "userKey=[" + userKey + "]" +
    "group=[" + group + "]" +
    "fieldName=[" + fieldName + "]" +
    "objectName=[" + objectName + "]");
    try{
    tcUserOperationsIntf userIntf = (tcUserOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcUserOperationsIntf");
    tcFormInstanceOperationsIntf formIntf = (tcFormInstanceOperationsIntf)tcUtilityFactory.getUtility(ioDatabase, "Thor.API.Operations.tcFormInstanceOperationsIntf");
    boolean roleExists = false;
    //Result set of all Object for user
    tcResultSet obResultSet = userIntf.getObjects(userKey);
    if (obResultSet.isEmpty()){
    log.error("User has no provisioned objects");
    return "NO_OBJECTS_EXIST";
    }else{
    for (int ii=0; ii<obResultSet.getRowCount(); ii++){
    obResultSet.goToRow(ii);
    if ((obResultSet.getStringValue("Objects.Name").equals(objectName)) &&
    (!(obResultSet.getStringValue("Objects.Object Status.Status").equals("Revoked")) &&
    !(obResultSet.getStringValue("Objects.Object Status.Status").equals("Provisioning")))){
    log.debug("Resource object found: " + objectName);
    //Process Instance Key of the object
    long plProcessInstanceKey = obResultSet.getLongValue("Process Instance.Key");
    log.debug("Process instance key: " + plProcessInstanceKey);
    //Process Key for the parent for
    long plParentFormDefinitionKey = obResultSet.getLongValue("Process.Process Definition.Process Form Key");
    log.debug("Parent form definition key: " + plParentFormDefinitionKey);
    //Form version of the parent form
    int pnParentFormVersion = formIntf.getProcessFormVersion(plProcessInstanceKey);
    log.debug("Parent form version: " + pnParentFormVersion);
    //Result set of Child Form information
    tcResultSet childFormResultSet = formIntf.getChildFormDefinition(plParentFormDefinitionKey, pnParentFormVersion);
    //Child form definition key
    long plChildFormDefinitionKey = childFormResultSet.getLongValue("Structure Utility.Child Tables.Child Key");
    String plChildTableName = childFormResultSet.getStringValue("Structure Utility.Table Name");
    log.debug("Child form definition key: " + plChildFormDefinitionKey);
    log.debug("Child table name: " + plChildTableName);
    tcResultSet childFormData = formIntf.getProcessFormChildData(plChildFormDefinitionKey, plProcessInstanceKey);
    if (!(childFormData.isEmpty())){
    log.debug("Searching child table current values");
    for (int iii=0; iii<childFormData.getRowCount();iii++){
    childFormData.goToRow(iii);
    String fieldValue = childFormData.getStringValue(fieldName);
    log.debug("Child table entry: " + iii + " | value: " + fieldValue);
    if (fieldValue.equals(group)){
    roleExists = true;
    log.debug("Value already exists in child table");
    return "DUPLICATE_VALUE";
    log.debug("Value not found in child table");
    if (!roleExists){
    Hashtable childFormHash = new Hashtable();
    childFormHash.put(fieldName, group);
    formIntf.addProcessFormChildData(plChildFormDefinitionKey, plProcessInstanceKey, childFormHash);
    log.debug("Value successfully added to table");
    return "VALUE_ADDED";
    log.debug("Provisioned resource " + objectName + " object not found");
    return "OBJECT_NOT_FOUND";
    catch(Exception ex){
    ex.printStackTrace();
    return "ERROR";

  • Creating access policy using OIM 11g APIs

    Is there a way to create an access policy using API? I see that there is AccessPolicyService but it only supports evalutePoliciesForUser. I need a way to add and modify policies.
    I'm using OIM 11.1.1.5
    Edited by: DJ on May 21, 2012 11:53 AM

    FYI, I hope the following links might be helpful, if you did not come across them before:
    OIM API for Create Access Policy:
    http://otndnld.oracle.co.jp/document/products/id_mgmt/idm_904/doc_cd/javadocs/operations/Thor/API/Operations/tcAccessPolicyOperationsIntf.html
    Example Code for OIM API Creation of Access Policy
    http://learnidm.blogspot.co.uk/2011_08_01_archive.html
    Thanks,
    Krish.

  • Configuring Access Control with OIM 11gR2

    Hi,
    I have to configure Access Control resource with OIM 11gR2. Kindly share relevant pointers.
    Best Regards,
    Varun

    I think this link will be Helpful
    22.5.1 Configuring Oracle Application Access Controls Governor
    http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/segduties.htm#OMDEV3394

  • Disable / Delete OIM Access Policy - OIM11g

    Hi Experts,
    checking on these forums I realized that is not possible to delete an Access Policy due to DB constraints.
    I read somewhere that is possible to disable them, but I don't understand how.
    Any ideas?

    Hi
    In order to disable the access policy.. remove the role associated with it. Since it is mandatory for atleast one role..create and provide some dummy role..
    alternatively you can delete the membership rule which is reponsible adding users to the group.
    Regards
    user12841694

  • Request templete - is it possible to delete from database?

    Hi All,
    is it possible to delete/disable request template from OIM database after we use it to generate some request?
    best
    mp
    Edited by: J23 on 2012-02-17 05:48

    If can change configuration (delete) of request template any time, via UI, don't do it via sql query.
    http://docs.oracle.com/cd/E21764_01/doc.1111/e14316/req.htm#BABFJHDF
    If you are talking about deleting or changing request dataset, sure you can do it any time Again If you going to perform any MDS operation keep the backup of MDS.

  • Access Policy  Vs Self Service triggered provisioning

    Hello Everyone,
    I wanted to know if there is any way to differentiate at the process definition level whether the provisioning process is triggered by Access Policy/direct OIM user create or a Self Service Request??
    Thanks
    N

    There is a column in the table for the object instance database object that contains a link to the access policy object. You can break or create this link if you want or don't want resource to be revoked on "policy no longer applies".
    I don't remeber exactly what the tables are called (OIU?). Perhaps someone else has this info easily available.
    Best regards
    /Martin

  • Android MS RDP - RPC Error: Your connection was denied because of a Resource Access Policy (TS_RAP). Please contact your server administrator. (2147965402).

    I love iTap Mobile.  Paid for the app.  Sorry to see them discontinue it, but now I know why.  Microsoft bought them out!  But even though free, I am getting an error: RPC Error: Your connection was denied because of a Resource Access
    Policy (TS_RAP). Please contact your server administrator. (2147965402).  I worked with iTap to fix this so I guess they sold Microsoft their older buggy code...  Microsoft, please fix!
    PS: This is the Android version.  Mac and iOS are both okay.
    EDIT:  After an update a few months ago, iOS is no longer working.  Not sure if the problem is related to the Android MSRDP issue.
    UPDATE - Relevant posts (need Android RDP software engineer to fix):
    Event Viewer Log when using Android client:
    The user
    "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
    is most likely for logging into RD Web - icons shows up).
    The
    user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
    The following error occurred: "23002".  (This is after clicking on any
    of the icons).
    I
    think the Android MS RDP client is providing the incorrect resource.  It shouldn't be "localhost".
     It should be the RD Connection Broker's hostname, I believe.
    Here's what it should look like (connected using a Windows PC going
    through the RD Web portal via Internet Explorer):
    The user "DOMAIN\testuser", on client computer "10.x.x.x", met connection
    authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
    The user "DOMAIN\testuser", on client computer "10.x.x.x", met resource
    authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
    The user "DOMAIN\testuser", on client computer "10.x.x.x", connected
    to resource "rdsfarm.domain.com".
    Stephan,
    Do you have any way to contact the software engineer who worked on the Android version of the RDP client?  Please
    have them read this thread.  They need to fix the hard coded "localhost" resource to be a variable (namely whatever the user put in for the server).
    This is why the MS RDP app is failing in situations where the FQDN for the RD Gateway and Connection Broker uses
    the same host name.
    Again, this is not a configuration problem on our end as it works as intended with the native Windows RDP client
    as well as the Mac and iOS version of the mobile RDP client (all based on iTap Mobile's RDP app).
    This is a problem specific to the Android RDP app.
    PS: No matter how hard I try, the WYSIWYG editor is not very WYSIWYG at all, and so everything here looks messed up even though it looked right when I posted it (it is deleting new blank lines I'm inserting to make it spaced out and easier to read). See
    below to read the post in context.

    Thanks for the bumps, everyone.  I haven't check this thread in a while because I basically gave up on Microsoft's ability to respond.  Unlike paid apps, there's no number to call or ticket to open when an app like this malfunctions.
    Just to give you an update, iOS users started having issues connecting a few months ago.  I don't remember what version started this.  I'm not sure if it's the same problem.
    Also, the newest version now gives a slightly different error message:  RpcOverHttpEndpointException: 2, Your connection was denied because of a Resource Access Policy (TS_RAP).  Please contact your server administrator.
    For Android users, I am starting to recommend Xtralogic Remote Desktop Client.  It's a paid app, but it works great.  I don't know of any alternative for iOS.
    MSRDP for Mac OSX (was also an iTap application) continues to work throughout the many updates.
    We need a software engineer from MS to read my first post.  All the information that will point to a fix is there.  I strongly believe someone hardcoded the string "localhost" instead of using a variable to point to the FQDN of the rdsfarm
    name.
    Here's that info again (copied/pasted).  It doesn't take an engineer to understand the issue.  If you know how to decipher Event Logs, you can see where the problem is.
    Event
    Viewer Log when using Android client:
    The
    user "DOMAIN\testuser", on client computer "10.x.x.x", met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM". (This
    is most likely for logging into RD Web - icons shows up).
    The
    user "DOMAIN\testuser", on client computer "10.x.x.x", did not meet resource authorization policy requirements and was therefore not authorized to resource"localhost".
    The following error occurred: "23002".  (This
    is after clicking on any of the icons).
    I
    think the Android MS RDP client is providing the incorrect resource.  It shouldn't be "localhost".
     It should be the RD Connection Broker's hostname, I believe.
    Here's
    what it should look like (connected using a Windows PC going through the RD Web portal via Internet Explorer):
    The user "DOMAIN\testuser", on client computer "10.x.x.x",
    met connection authorization policy requirements and was therefore authorized to access the RD Gateway server. The following authentication method was used: "NTLM".
    The user "DOMAIN\testuser", on client computer "10.x.x.x",
    met resource authorization policy requirements and was therefore authorized to connect to resource "rdsfarm.domain.com".
    The user "DOMAIN\testuser", on client computer "10.x.x.x",
    connected to resource "rdsfarm.domain.com".

  • E1200 V2 with no "internet access policy" in built-in web-based setup

    I just bought a factory refurbished E1200.  The label on the bottom says it is a Version 2 model.  When I purchased it, it was loaded with 2.0.02 firmware but I upgraded the firmware to 2.0.04
    My problem is that I'm trying to setup MAC address-based restrictions thru the manual/web-based setup and when I click on the "Access Restrictions" tab, I only have simple "Parental Controls" and not the advanced "Internet Access Policy".
    Is it possible that I have a mislabeled V1 device?  If that is the case, how is it that I was able to upgrade the firmware using firmware from the V2 downloads section.
    Do V! and V2 units use the same firmware but  more importantly, how do I upgrade the built-in software so that I have the advanced "Internet Access Policy" controls?
    Thanks!
    Eric
    Solved!
    Go to Solution.

    Very strange indeed then!  My subtab only has "Parental Controls" listed.  
    I've compared it to the one shown here  ( http://ui.linksys.com/files/E1200/2.0.00/inter_access.htm ) - and mine does not look like this at all!
    I think i have a mislabeled V1 model or at least V1 software loaded,
    Does anyone know if it is possible to download and reload the software that is built in to the router or do I need to return it and get a (hopefully) new one?
    Thanks!
    Eric

  • OIM 11g R2 - AD provisioning based on Role and Access Policy

    Hi, for Active Direcotry integration i used some prepopulation plugin for populationg resource form (based on http://fusionsecurity.blogspot.sk/2013/01/populating-request-attributes-in-oim.html).
    It's work fine - requested account was fully provisioned.
    Can i use this plugins for Role based provisioning?
    I try to create access policy and associated role but when attached the role to the user and run Evaluate User Policies Job, account can't be provisioned.
    In diagnostic.log i found.....
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Immediate consequences are returned with event - InitiatePolicyEvaluationAndProvisioning
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Next Waiting child process is ..........6380 sync = false
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] First Waiting child process is ..........6380
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel executing default validation with process id, event id, entity and operation 6,380.0.Resource.ACCESS_POLICY_BASED_PROVISION
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Kernel completed the child orchestration - 6380.6379
    [oracle.iam.platform.kernel.dao] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Inserting records for orchestration cleanup
    [oracle.iam.platform.kernel.impl] [.....] [userId: oiminternal] [.....] [APP: oim#11.1.2.0.0] Completed orchestration with action result - 113

    Hi, all
    I try to fill Access policy Process Form. Account request was created and provisioned when field AD Server and Organization Name was filled in, but pre-population plugin doesn't fired
    The question is.... How can i use pre-population plugin for populating request dataset used with request generated by access policy....
    Is it possible to use plugins for requests generated based on access policy?
    a.

  • Is it possible to delete a relationship from the BP ?

    Hello experts,
    I'd would like to replace a function partner SH (having the same number as the DO) by another  from R3 to CRM5.
    At the begining i have in R3 this partner
    AG 3901007
    RE 3901007
    RG 3901007
    WE 3901007
    In R3 by the transaction VD02, I replace the partner SH by another
    After the modify i have in R3.
    AG 3901007
    RE 3901007
    RG 3901007
    WE 5000000
    When the replication is done in CRM using BDOC, i can see, by the transaction BP
    the new ship to party partner(5000000) .
    The trouble is :
    When customer access to ISA (standard version) to order product, he can select the partner 3901007 as shipping adress.
    By ISA, he should have the partner 5000000 only.
    Is it standard or is it a sap trouble ?
    Is it possible to delete a relationship from the BP ?
    I don't want to delete the BP partner, i just want to delete the relationship when then BDOC arrive in CRM.
    i have found the oss note 596334 497146 757955 too but it doesn't bring me a solution.
    Best regards
    Christophe

    Hello
    When you delete a Partner Function in R/3 the corresponding relationshipdoesn't get deleted in CRM. This is standard SAP behavior and not a
    bug. Reason for this behavior has been explained in Note 490454.
    You can change this behavior by implementing Note 497146. Also check
    the note 682427 which will help you in clearing old data.

  • Server does not support setting more than 5 shared access policy identifiers on a single container

    Hi,
    I upload a video file to a new Asset. I then attempt to create a streaming URL by creating an Access Policy and then a Locator, which I use to generate the URL used for streaming.This works great. Until the 6th time you execute
    that code against the same Asset. Then you receive this error:
    "Server does not support setting more than 5 shared access policy identifiers on a single container."
    So, that's fine. I don't need to create a new AccessPolicy everytime, I can reuse the one I've created previously, build a Locator using that same policy. However, even then, I get the error about 5 shared access policies on a single container.
    Is this the Lmitation of media service? or am I missing something?
    Following is the code I used for this:
    if (AssetId != "")
                    inputAsset = (from a in _context.Assets
                                  where a.Id == AssetId
                                  select a).FirstOrDefault();
                    policy= (from a in _context.AccessPolicies where a.Name==inputAsset.Name select a).FirstOrDefault();
                    var assetFile = inputAsset.AssetFiles.Create(Path.GetFileName(singleFilePath));
                    var locator = _context.Locators.CreateLocator(LocatorType.Sas, inputAsset, policy);
                    assetFile.Upload(singleFilePath);
                    locator.Delete();
                    MediaElement media = new MediaElement();
                    media.AssetId = inputAsset.Id;
                    media.Title = Path.GetFileName(singleFilePath);
                    var result = Save(media, singleFilePath);
                    return inputAsset;
                else
                    inputAsset = _context.Assets.Create(User.Identity.Name, AssetCreationOptions.None);
                     policy = _context.AccessPolicies.Create(
                                        inputAsset.Name,
                                        TimeSpan.FromDays(30),
                                        AccessPermissions.Write | AccessPermissions.List
    | AccessPermissions.Read | AccessPermissions.Delete);
                     var assetFile = inputAsset.AssetFiles.Create(Path.GetFileName(singleFilePath));
                     var locator = _context.Locators.CreateLocator(LocatorType.Sas, inputAsset, policy);
                     assetFile.Upload(singleFilePath);
                     locator.Delete();
                     policy.Delete();
                     MediaElement media = new MediaElement();
                     media.AssetId = inputAsset.Id;
                     media.Title = Path.GetFileName(singleFilePath);
                     var result = Save(media, singleFilePath);
                     return inputAsset;

    Hi,
    I found some information related to
    Stored Access Policy , Shared Access Signatures   please check if it helps.
    Regards,
    Shirisha Paderu.

Maybe you are looking for