HAPPY NEW YEAR 2017

Identity And Access Management - Rajiv Dewan

Access Policy Harvesting - Case Sensitive Issue

Access Policy Harvesting - Case Sensitive Issue


Here's another issue with Access Policy Harvesting. I reconciled entitlement (xyz) for a user but in Access Policy we gave entitlement name in different case (Xyz). When we ran the Evalaute User Policy job after role assignment, OIM initiated provisioning for entitlement "Xyz".
Ideally OIM should have done Access Policy Harvesting for that entitlement but it didn't.

So make sure you compare the Access Policy Child form data with reconciled data. You can do the same by comparing POC and Child Form tables. This may give you 100% results if at-least one user is having access to entitlements which are defined in Access Policies.

Access Policy Harvesting - Oracle Identity Manager

Access Policy Harvesting is very common but important feature of Oracle Identity Manager. It is very complicated feature too :) In the last deployment we faced some weird issue with Access Policy Harvesting. In earlier versions of OIM, we used to follow steps mentioned in my other blog post (Click Here)

Details & Workaround:
 
RBAC solution is implemented for an application. Few roles of that application were already integrated earlier and now application team added few new roles and assigned the membership from the backend.
Now when we reconciled newly added roles and ran Access Policy Harvesting job (Evaluate User Policy) after assignment of OIM Roles, OIM didn't do AP Harvesting for newly added entitlements ONLY for few users.

AP Harvesting worked for few users for same set of entitlement and role but it didn't happen for other users having same role and entitlement. We tried to evaluate the Access Policies multiple times but no luck. On debugging, I found that accounts for such users (for who AP Harvesting didn't happen) were created by OIM through Provisioning Mechanism and that's why OIM was skipping those accounts while evaluating access policies. 
I had to change the Provisioning Mechanism of such account to "AP Harvested" from the database and evaluate the access policies again AND everything worked like a charm. :)