Access Policy Harvesting is very common but important feature of Oracle Identity Manager. It is very complicated feature too :) In the last deployment we faced some weird issue with Access Policy Harvesting. In earlier versions of OIM, we used to follow steps mentioned in my other blog post (Click Here)
Details & Workaround:
RBAC solution is implemented for an application. Few roles of that application were already integrated earlier and now application team added few new roles and assigned the membership from the backend.
Now when we reconciled newly added roles and ran Access Policy Harvesting job (Evaluate User Policy) after assignment of OIM Roles, OIM didn't do AP Harvesting for newly added entitlements ONLY for few users.
AP Harvesting worked for few users for same set of entitlement and role but it didn't happen for other users having same role and entitlement. We tried to evaluate the Access Policies multiple times but no luck. On debugging, I found that accounts for such users (for who AP Harvesting didn't happen) were created by OIM through Provisioning Mechanism and that's why OIM was skipping those accounts while evaluating access policies.
I had to change the Provisioning Mechanism of such account to "AP Harvested" from the database and evaluate the access policies again AND everything worked like a charm. :)
Details & Workaround:
RBAC solution is implemented for an application. Few roles of that application were already integrated earlier and now application team added few new roles and assigned the membership from the backend.
Now when we reconciled newly added roles and ran Access Policy Harvesting job (Evaluate User Policy) after assignment of OIM Roles, OIM didn't do AP Harvesting for newly added entitlements ONLY for few users.
AP Harvesting worked for few users for same set of entitlement and role but it didn't happen for other users having same role and entitlement. We tried to evaluate the Access Policies multiple times but no luck. On debugging, I found that accounts for such users (for who AP Harvesting didn't happen) were created by OIM through Provisioning Mechanism and that's why OIM was skipping those accounts while evaluating access policies.
I had to change the Provisioning Mechanism of such account to "AP Harvested" from the database and evaluate the access policies again AND everything worked like a charm. :)
No comments:
Post a Comment