OIM iPlanet Resource revoked using access policy
Hi,
I had created a group and access policy based upon which i tried to provisioned a iplanet resource to a user.
For this I had created a UDF(say type with value C) and created a rule based on which user is assigned to group say business and also iPlanet resource is provisioned to user
As I Edit the profile and clear UDF. User is removed from group and also iPlanet resource is revoked.(In Access Policy revoked if no longer applied)
I am able to do this task Successfully But If iPlanet resource is already allocated to user and I update the UDF(value C) user is assigned to group and iplanet is already assigned to user(muliple resource UNTICK). and now if i again Updated the UDF(mean clear it) user is removed from the group but iPlanet resource is not revoked from the user......
Can somebody tell me why it is happening??? wheather its a bug in OIM or I am missing something...
Thanks
Anil
If I understand your requirement correctly, when you change the value in process form edit from C to other, iPlanet resource is getting revoked.
But when you change the the same value from user profile edit, the iplanet is not getting revoked right?
As per my knowledge I can say, when you update the value for UDF in user profile, you can use triggers USR.TRIGGERS which will update the process form. In this case your process form will gets updated by default.
This in turn triggers access policy and revokes the resource.
Hope this helps you
Similar Messages
-
Provision Entitlements using Access Policy in OIM & OIA
Hi All,
Access policies in OIM does not allow entitlements definition in it such as defining the AD Groups that needs to be attached to the account which would be provisioned on the target resource when the access policy gets triggered. These entitlements definition in OIM is taken care on the Process Form level, whereas in case of OIA the Provisioning polices allow entitlements definition according the resource type in the policy level. It would be of great help if you could help us in understanding how the import and export of access policy data between OIA and OIM would be feasible with these differences in place
Appreciate any helpful pointer on this.
Thanks,
RPB
Message was edited by: RPB25You can edit the Access Policy, select the Resource added-Provide more information, If it has a child table, you can add entitlement to it. you can also add entitlement while exporting OIA policies using accesspolicy api of OIM. But just chek after importing to OIM, the access policies order will be messed.
sjit -
Seggregate Automated User provisioning using Access Policy-Diff Groups/Org
Hello there,
By default, the users that are created in OIM - via GTC/via self registration/via Administrator - they all get assigned to "All Users" group. Can we assign these users to a different User Defined group for e.g. "trialgroup", by default and Unassign the "All Users" group. If yes, how can we do that?
This question is related to another question of mine:
I want to avoid all the users that are being created in OIM system - to be all together provisioned to a single IT Resource in my case OID directly via Access policy which can be applied on individual group. I want to keep the system extensible for future purposes. And the only way to seggregate direct resource provisioning via access policy is by means of different "groups". So the solution that I could think of was to assign all the users that are being created currently (via GTC and via Bulk Load into OIM) to a separate group and assign an access policy to the group so that in future if any other resource comes into picture then the system can be extended by creating more groups and designing individual separate access policies for the same.
Does this makes sense?
Please provide your inputs! Any hints/suggestions/ideas are welcomed.
TIA,
- oidm.I am actually not very sure, what you want to achieve form the content of that post. If you mean that you would not want every user in OIM to be provisioned to OID automatically through access policy, then I am assuming that in that case you will aplly the access policy to the ALL_USERS group.
Well I may be missing the flow of your question, but here is what you can do based on my understanding:
1) Just forget ALL_USERS group. We can no nothing about it. Any User created will be a part of this group and you cannot remove a user from this group.
2) In place of this what you can do is create another group, for instance trialgroup and make all users a member of this group as well. This would be simple to do. See next step. Use addMemberUser() API of addMemberUser interface.
3) Create an Entity adapter with a javatask added, which takes an input of UserID, and assigns that user to this group (trialgroup) in OIM using above API. Attach this adapter to the post-insert trigger of the "Users" data object manager. (It also have another ootb Entity adapter which adds all the users to ALL_USERS group).
4) Attach your access policy to this group.
5) Now also you are free to extend your system by creating more groups and access policies. It shouldn't be a problem.
Thanks
Sunny -
[OIM 9.1.0.2] RESOURCE NOT REVOKED BY ACCESS POLICY WHEN USER DISABLED
Hi Experts,
OIM Build Number: 1866.62 ( BP15 )
IHAC that faced an unexpected behavior on User disabling.
Some users were associated to groups that had access policies applied.
When those users were disabled, they didnt lose their associated groups and also the resource and permission associated thru access policy applied to those groups.
I saw that there was a bug reported to that issue. So I performed the action plan and set up the XL.EvaluateMembershipForInactiveUser System Property as TRUE. Now after disabling the users are properly removed from groups.
Customer problem: For those users, almost 1000, I did a recon just to estimule the identity, so the membership rule was applied and the groups were removed, but OIM didn't evaluate the access policies and didn't revoke the resources.
I ran the Evaluate User Policies task, and it seems to be stuck. Should the Evaluate User Policies schedule task work for that scenario? Should the resource after running that task be revoked?
Any help would be very appreciated.Hi Nishith,
I ran the task, but it seems really stuck. It displays the RUNNING status, but any effect is observed. I have to change task status to INACTIVE in the Design Console.
This task has 2 attributes: Batch Size= 500 and Number of Threads=20.
But I have noticed this task in another environment (w/ BP 18 applied), it has 3 attributes: Batch Size= 500 ; Number of Threads=20 and Time Limit in mins=1.
Is it any enhancement for this task in order to improve its performance, or something like that?
What else I can check?
Thanks in advance. -
[OIM 9.1.0.2] Access Policy being evaluated to an OIM user disabled.
Hi Gurus,
I have an Access Policy being evaluated and provisioning resource (AD) to an OIM user disabled.
Any tip on what I should take a look?
Thanks in advance.Hi all,
I have configured out the XL.EvaluateMembershipForInactiveUser System Property as TRUE, but the membership rule does not get evaluated for disabled users. So the user still remain into the group. I have restarted the OIM.
I need to active the Evaluate User Policies schedule task for this configuration be effective. Or should I do something more?
Thanks a lot. -
Issue in OIM 11gR2Ps2 while provisioning using access policies
Hi,
we are provisioning resources using access policies, we are facing any issue while provisioning resource using two access policies. we are populating the main process form data using two access policies, according to the access policy priority we are seeing the first access policy form data value in the user process form, but the second access policy value is not showing in the user process form, for example we are populating processform fieldvalue1 using access policy1 and processform fieldvalue2 using access policy2.
Thank you,Hi,
we are facing issue in the following scenario
we are provisioning a resource based on the user position through access policies, for example a user position "contractor" is satisfies two rules based on the rules he will get two roles, these two roles trigger two access policies, and two access policies giving same resource for example "AD", in AD main process form there two lookups(lookup A,lookup B), we are giving looukp A value in acess policy1 and lookup B value in access ploicy2, when ever user gets AD resource through these roles, after provisioning when we see the user process form only lookup A value is there and lookup B is empty.But i want to get both lookup A,lookup B values, what i observed was based on the priority access policy values are comming to user resource form, the next access policy form values are not reflecting the user process form.
Thanks, -
Role getting revoked with Access Policy
Hi,
I have a Access Policy which will provision to a Resource Object with only one special role. Whenever a user belongs to the group according to a rule called USR_UDF_GLOBALSTATUS == Active, automatically user is getting provisioned to the Resource object with that Role as per the access policy.In this access policy, "Revoke if no longer applies" option is disabled for that Resource Object.
Whenever for that user, USR_UDF_GLOBALSTATUS == Active is changed as USR_UDF_GLOBALSTATUS == InActive from reconciliation, the user is removed from that Group. Till here everything is fine. But the Special Role assigned to that user is also getting revoked. I haven't enabled "Revoke if no longer applies" option. But how come the role is getting revoked?
According to my requirement, that special role should still stay even if the user is removed from the group. Please help...
- PavanEnable all logging. Check and see if the user was a member of more groups than just the one. There might be more than one access policy for the user, one that gives the resource with a base set of values for the parent form, and then another access policy that has a lower priority that provides the role. Also look at the Xellerate User object and check for any tasks that might be triggered on this change in value as well as other values. Your best bet is to look at the user and all their groups and resources. Then perform your change, and look on their resource profiles both in targets, and on the xellerate user object, and see what all tasks were inserted.
-Kevin -
Linking resource accounts to access policy from a database
As part of the seeding process, we assign roles to the users and then run the recon to assign resources to the user. We have an access policy which is supposed to assign AD resource when a User has an Employee role. After we seed all the existing users, we enable to policy to assign AD for the new users, but since we recon the user's instead of access policy, it doesn't link the access policy to resource account.
How can I link those two in the database so next time when someone is removed from the Employee role, it will also remove the AD account. I tried setting the pol_key attribute in UD_ADUSER with the id of the policy found in table pol but that didn't help.
ThanksAs part of the seeding process, we assign roles to the users and then run the recon to assign resources to the user. We have an access policy which is supposed to assign AD resource when a User has an Employee role. After we seed all the existing users, we enable to policy to assign AD for the new users, but since we recon the user's instead of access policy, it doesn't link the access policy to resource account.
How can I link those two in the database so next time when someone is removed from the Employee role, it will also remove the AD account. I tried setting the pol_key attribute in UD_ADUSER with the id of the policy found in table pol but that didn't help.
Thanks -
Access Policy and Resources -11gR2
Hi all,
I have create an Access policy in 11gR2, its working fine and as per requirement the Resource is getting provisioned / revoked properly.
In *11gR1* resources provisioned through the Access policy were used to be displayed / listed in the User's Resources tab, In *11gR2* the resources provisioned by Access Policy are not being displayed / listed in under the Accounts tab. is it the default behavior of 11gR2? or some bug? or I need to make any configurations to have it displayed here?
Regardsnothing special has to do for showing under Accounts tab. Have you created *'Application Instance'* for the Resource. You have to create Application Instance and run the "catalog sync' job. and once Application Instance is provisioned to user. It will be available under Accounts tab.
Follow 11gr2 doc for creating application instance
http://docs.oracle.com/cd/E27559_01/dev.1112/e27150/resmgt.htm#CBBFAIEC -
OIM access policy not evaluating a boolean
I have a test for a boolean in Access Policy
booleanvariable == true
but it does not evaluate
I tried booleanvariable == 1
and this does not work either.
If I have a string field instead of a boolean, then it works
stringvariable == TRUE
this works.
Is there something wrong with booleans in Access Policy?I'm currently using Boolean with access policies, though maybe a little different.
In the OIM Design Console, I've created a rule (Resource Management -> Rule Designer) named TestRule
Add Element:
- Attribute: booleanvariable
- Operation: ==
- Attribute Value: 1
I have groups that mirror access policies, so let's say that we've also created a group (User Groups->Create via OIM AU Console - Web)
- Under 'Membership Rules' in the dropdown box for group details, assign the rule you just created
- Then under 'Access Policies' add the policy you created under Access Policies -> Manage
Then when a user is in OIM with booleanvariable checked, the Access Policy is applied to that user. -
OIM 11G - Roles, revoke when policy no longer applies behaviour
When two roles share one or more common resources, will the "revoke resources when policy no longer applies" behaviour preserve the common resources of the other existing role, when the other role is revoked?
Regards
HanifAs mentioned above, they will keep the resource as long as they are a member of a role that has that resource on the access policy.
If the access policy has a deny resource listed on it though, that will automatically revoke any instance regardless of other access policy the user has.
-Kevin -
Disable AD account with access policy
Hi all,
how can I disable AD account with access policy (or create AD account in disabled state)
Regards,
VladimirDewan.Rajiv wrote:
Access Polcies are just for triggering provisioning. You can custom AD connector or write your own to create user in disabled state using JNDI.Hi Dewan,
I have to create a simple demo system, and I need a solution which is not too weird (that means use as little of disparate technologies as possible).
I have two connected systems:
1. HR system, which is a trusted source for user and organizational data.
2. AD system, which is my provision destination.
I want to comply to the following requirements:
1. When a user is created in HR system, a new OIM account shall be created, and a new AD account shall or shall not (depending on HR data) be created in AD in disabled state
2. When a user is marked as dismissed in HR system, the AD account if exists, shall be disabled and moved to some special place in AD tree.
3. Same rules shall apply if the OIM account is created or marked as "Dismissed" manually by OIM administrator.
I use OIM reconciliation to get source data and it is no problem for me to create any reconciliation event I need.
I was considering creating Group->Access Policy->Resource chains, but Access Policy allows only to manage AD attributes, not account enable status.
Or should I add some unmapped pseudo-attribute to AD connector and a task which will enable/disable AD account based on the value of this attribute?
What other options do I have?
Regards,
Vladimir -
PF attribute modification in Access Policy for existing users.
Hi Guys,
I have an access policy for provisioning a resource. Suppose if I make some changes for the process form attribute value inside the access policy,How can I have the same attribute value reflected in the process form of users who are already provisioned by the access policy?
Direct database update wont be a good idea here as I am having multiple access policies for the same resource. Is there any table which is having the relation between provisioned resource and curresponding access policy if at all I have to go for a custom scheduled task?
Thanks,Does this solution also supposed to work in OIM 11g? I Tried it but data on the main form does not get reflected on the process form of existing users. For child data it does work.
Edited by: bsteen on Aug 5, 2011 5:21 AM -
Provisioing with Access Policy
Hi All
I have made one Access policy for Full-Time employees.
I want that if admin creates a user who is Full-Time employee, it shouls automatically get provisioined with AD.
I have made that Access Policy. But If Admin craetes one user who is Full-Time Employee then provisioing status goes into *"READY"* State.
It stucks in Resource form.
And in my resource form only one lookup field is there. And i have put Value already in that lookup.
Could any one please tell me the solution for this.
Thanks a lot!Hi
I made access policy Without Approval.
That extra field i.e. AD SERVER, I have already filled with ADITResource.
Actually i have made one resource form, i'm giving value of AD Server from there & it is prepopulation in process form.
But When user gp for provisioning then it stuck in Resource Form not in Process form. It shows status Ready.
Is it possible to remove that Resource form from access policy, I think it may remove my problem ?
But i don know how to remove resource form from Access Policy region.
Please suggest.
Thanks for these replies. -
Creating access policy using OIM 11g APIs
Is there a way to create an access policy using API? I see that there is AccessPolicyService but it only supports evalutePoliciesForUser. I need a way to add and modify policies.
I'm using OIM 11.1.1.5
Edited by: DJ on May 21, 2012 11:53 AMFYI, I hope the following links might be helpful, if you did not come across them before:
OIM API for Create Access Policy:
http://otndnld.oracle.co.jp/document/products/id_mgmt/idm_904/doc_cd/javadocs/operations/Thor/API/Operations/tcAccessPolicyOperationsIntf.html
Example Code for OIM API Creation of Access Policy
http://learnidm.blogspot.co.uk/2011_08_01_archive.html
Thanks,
Krish.
Maybe you are looking for
-
I have copied over my music files to a new computer and the music shows on itunes but wont play. When I track where the song is located it is reading the wrong information. How do I change this as Edit>Preferences has the right location?
-
How get rid of flashback info in database documentation?
Hi everyone, I tried to create a database documentation in SQLDeveloper using the context menu on the connection icon. For each table SQLDeveloper extracted flashback info, amounting to several GB. It took hours to complete! Is it possible to disable
-
Function module to list out a report's input/output parameters
Hi experts, I'd like to know if there is a function module which can list out all the input and output parameters (variables, tables, etc.) by giving the report name as input. If not, please suggest a way to find out the input/output parameters. Rega
-
Problem with loading Images from Google
if i click on one of this pictures & chose open in new tab https://fud.community.services.support.microsoft.com/Fud/FileDownloadHandler.ashx?fid=23a96ac6-b84d-4e5a-be5f-ee9132199fac new windows starts loading, but the loading never ends, in past it u
-
"an XML element was malformed" error with anonymous user
There is no problem with another user but with anonymous user it gives "an XML element was malformed" error when I want to select data from Oracle database using BI_JDBC in VC. I have done the user mapping for the anonymous user like other users.