It's all about IAM

Access Policy Issue for Reconciliation

Requirement


For OIM Projects, we face a common requirement.

1) Link Access for existing users with OIM Users.
2) Provision access to new users as users get created into OIM based on some attributes.
3) Manage access for all users like Revoke, Enable and Disable

Expected Solution


1) For linking, we run Target Reconciliation
2) For New Access, we use Access Policy
3) For Revoke, we select "Revoke If No Longer" check-box while creating Access Policy

Known Issue


We have a known issue for managing access for existing users through Access Policy if we run Target Reconciliation

Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation? [ID 1136540.1]

Workaround


After initial (full) Target Reconciliation, follow below steps for all users and their access:

Update USR set USR_POLICY_UPDATE=1 where USR_KEY =$USER_KEY ;
COMMIT;

Update OIU set OIU_POLICY_REVOKE=1, POL_KEY=$POLICY_KEY, OIU_POLICY_BASED=1 where ORC_KEY=$ORC_KEY;
COMMIT;




Disclaimer

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.