Provisioning By AccessPolicy

Provisioning based on policies.

This is about how to provision a Resource to an User automatically when the User is created.

Documentation

  1. Managing Access Policies chapter in UserDoc

The rest of this page is a citation from this chapter.

Provisioning Options

Whenever an AccessPolicy is applied, the Resources are directly provisioned to the user without the any request being generated.

Revoking the AccessPolicy

Oracle Identity Manager policies are not applied to subroles. Policies are only applied to direct-membership users (that is, users who are not in subroles) in the roles that are defined on the policies. You can specify if a Resource in a AccessPolicy must be revoked when the AccessPolicy no longer applies. If you do so, then these Resources are automatically revoked from the users by Oracle Identity Manager when the AccessPolicy no longer applies to the users.

Denying a Resource

While creating an AccessPolicy, you can select Resources to be denied along with Resources to be provisioned for roles. If you first select a Resource for provisioning and then select the same Resource to be denied, then Oracle Identity Manager removes the Resource from the list of Resources to be provisioned. If two policies are defined for a role in which one is defined to provision a Resource and the other is defined to deny the Resource, then Oracle Identity Manager does not provision the Resource irrespective of the priority of the policies.

Evaluating Policies

In Oracle Identity Manager, policies can be evaluated in the following scenarios:

  • When a user is made a part of a role or removed from a role. The AccessPolicy for the user is evaluated as part of the add or remove operation.
  • If the retrofit flag is set for the AccessPolicy. These evaluations do not happen immediately after the action. Instead, they happen during the next run of the Evaluate User Policies ScheduleTask. The evaluations can happen in the following scenarios:
    • AccessPolicy definition is updated so that the retrofit flag is set to ON. Policies are evaluated for all applicable users.
    • A Role is added or removed from the AccessPolicy definition. Policies are evaluated only for Roles that are added or removed.
    • A Resource is added, removed, or the Revoke If No Longer Applies/ flag value is changed for the Resource. Policies are evaluated for all applicable users.
    • When AccessPolicy data is updated or deleted. This includes both parent and child form data. Policies are evaluated for all applicable Users.

AccessPolicy Priority

AccessPolicy priority is a numeric field containing a number that is unique for each AccessPolicy you create. The lower the number, the higher is the priority of the AccessPolicy. For example, if you specify Priority =1, it means that the AccessPolicy has the highest priority. When you define policies through Oracle Identity Manager Administrative and User Console, the value 1 is always added to the value of the current lowest priority and the resultant value is automatically populated in the Priority field. Changing this value to a different number might result in readjusting the priority of all the other policies, thus ensuring that the priorities remain consistent. The following actions are associated with the priority number:

  • If the priority number entered is less than 1, then Oracle Identity Manager will change the value to 1 (highest priority).
  • If the priority number entered is greater than M, in which M is the current lowest priority, then Oracle Identity Manager will specify the value as less than or equal to M+1.
  • Two policies cannot have the same priority number. Therefore, assigning an already existing priority number to an AccessPolicy will lower the priority by 1 for all policies of lesser priority.

Conflicts can arise from multiple policies being applied to the same user. Because a single instance of a Resource is provisioned to the user through policies, Oracle Identity Manager uses the highest priority AccessPolicy data for a parent form. For child forms, Oracle Identity Manager uses cumulative records from all applicable policies.

AccessPolicy Data

There are multiple ways in which Form data is supplied for Resources during provisioning. The following is the order of preference built into Oracle Identity Manager:

  1. Default values from the Form definition
  2. Organization defaults
  3. Values obtained through data flow from data set to Form
  4. Prepopulate Adapters
  5. AccessPolicy data if Resource is provisioned because of a AccessPolicy
  6. Data updated by ProcessTask or Entity Adapters

If a given option is available, then the rest of the options that are at a lower order of preference are overridden. For example, if Option 4 is available, then Options 3, 2, and 1 are ignored.

Tables

  1. POL - AccessPolicy master
  2. POC - AccessPolicy2Form
  3. OIU - ResourceAccount
  4. POF - AccessPolicyFieldDefinition
  5. POG - AccessPolicy2Group
  6. POP - AccessPolicy2Resource
  7. RQO - Request2Resource
  8. UPD - AccessPolicyProfileDetail
  9. UHD - AccessPolicyProfileHistoryDetail
  10. all RA_xxx tables

Blogs

  1. Provisioning Active Directory best practices by Martin Sandren

Forum

  1. [https://forums.oracle.com/forums/thread.jspa?threadID=2299863]
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License