There is a small confusion in the way access policies work for AD, once an access policy is created and assigned to a group, whenever a user is added to that group, the access policy will be applied to him and AD User resource will be provisioned to him .
Now , if you make an update on the group membership on active directory process form(child form) in the access policy , then it will work and will be updated on the target side, but if you update the Organization name on active directory process form, then it will not be reflected in the target side and in the OIM side.
Now open the Access policy which you created and if you try to change the group membership on active directory process form(child form) in the access policy , then it will work and it will be updated on the target side, but if you update the Organization name on active directory process form,then it will not be reflected in the target side and in the OIM side. Now, one may have a doubt that when a change in the child form is reflected, why does a change in parent form not reflected in the target system .
As per the development the above behaviour is correct , the documentation says "Access policy engine checks if the resource is already provisioned to the user. If it is, then the resource will not be provisioned again. [...] After this, it checks the list of policies being newly added to see if any of them specify child table data for this resource. If they do, then the appropriate child table entries need to be made in the process form for this resource."
This explains why the change in the organization has no effect (resource is not provisioned again) but the change in the child form has an effect (new child table entries are added),so any change in the child form will be reflected but changes to the parent form/organization change will not be reflected.
Regards,
Sunny Ajmera
Wednesday, July 21, 2010
How To : Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation?
Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation?
Currently policy engine is able to manage life cycle of the resource only if the Resource Object is provisioned via OIM access policy.
If the resource is reconciled, OIM does not retrofit the data of the reconciled resource with the existing access policies. This means that OIM can not manage those users with access policy. This is also true when the users are obtained either through trusted reconciliation or target reconciliation. Please note that OIM has no way of knowing how accounts were created before OIM was deployed.
It is possible that before OIM was integrated with the target, accounts were created directly in the target based on policies, requested or delegated administrator based direct assignment or any other means ( like bulk upload from HR system or some other application or some meta-directory product). OIM cannot start de-provisioning accounts or entitlement assignments only because the new policies defined in OIM would not provision the account/entitlement to the user. Access policies can only do additional entitlement assignment for accounts discovered by recon. Additionally, once new accounts are provisioned from OIM, OIM knows the context for how they were provisioned and so can correctly de-provision accounts based on "revoke if no longer applies" flag.
One way to do this is to cleanse the existing data before integrating into OIM or run manual attestation in OIM to cleanse the data. Once the data is cleansed and uploaded in OIM, from thereon OIM can be configured to manage the accounts.
Regards,
SunShine
Currently policy engine is able to manage life cycle of the resource only if the Resource Object is provisioned via OIM access policy.
If the resource is reconciled, OIM does not retrofit the data of the reconciled resource with the existing access policies. This means that OIM can not manage those users with access policy. This is also true when the users are obtained either through trusted reconciliation or target reconciliation. Please note that OIM has no way of knowing how accounts were created before OIM was deployed.
It is possible that before OIM was integrated with the target, accounts were created directly in the target based on policies, requested or delegated administrator based direct assignment or any other means ( like bulk upload from HR system or some other application or some meta-directory product). OIM cannot start de-provisioning accounts or entitlement assignments only because the new policies defined in OIM would not provision the account/entitlement to the user. Access policies can only do additional entitlement assignment for accounts discovered by recon. Additionally, once new accounts are provisioned from OIM, OIM knows the context for how they were provisioned and so can correctly de-provision accounts based on "revoke if no longer applies" flag.
One way to do this is to cleanse the existing data before integrating into OIM or run manual attestation in OIM to cleanse the data. Once the data is cleansed and uploaded in OIM, from thereon OIM can be configured to manage the accounts.
Regards,
SunShine
How to Delete Access Policy in OIM
The general instructions for removing an Access Policy from a group can be found in the Admin and User Console Guide, Chapter 10 Creating and Managing User Groups. A link to that chapter in the 9.1 version is below:
http://download.oracle.com/docs/cd/E10391_01/doc.910/e10360/usergroups.htm#BACCGCGB
This would remove the policy from the group, but not specifically delete the actual policy itself from the Oracle Identity Manager (OIM) server. There is the existing Enhancement Request Bug 5179943 for providing that complete delete feature and it has been approved for inclusion into the future release of OIM (11g version).
http://download.oracle.com/docs/cd/E10391_01/doc.910/e10360/usergroups.htm#BACCGCGB
This would remove the policy from the group, but not specifically delete the actual policy itself from the Oracle Identity Manager (OIM) server. There is the existing Enhancement Request Bug 5179943 for providing that complete delete feature and it has been approved for inclusion into the future release of OIM (11g version).
Tuesday, July 20, 2010
Sun Role Manager 5.0.3 Quick Installation Guide on WebLogic
Although you can found SRM 5.0.3 Installation guide @ http://wikis.sun.com/display/Srm503Docs/Part+II+-+Installing+Sun+Role+Manager but somehow I didn't find it easy enough to wrap the installation in quick 15minutes, so I decided to try it on my own and come up with my own "How to Install SRM 5.0.3 on WebLogic in 15minutes" guide.
Here it goes:
Here it goes:
1. Preparing Oracle DatabaseExecute following sql files:
• rbacx-5.0.0_oracle_schema.sql
• migrate-rbacx-5.0.0To5.0.1-oracle.sql
2. Download Third Party Jar Files• jasper-jdt.jar
• ojdbc14.jar
3. Preparing Application ServerCopy ojdbc14.jar in lib folder of your weblogic applicaiton Server
4. Installing Sun Role Manager 5.0.3• Create a folder E:\SRM, this will be your RBACX_HOME.
• Create another folder RM_5.0 under E:\SRM and unzip the SRM Installable under this
RM_5.0 folder.
• Create another folder named rbacx under RBACX_HOME.
• Copy the rbacx.war file from E:\SRM\RM_5.0 to E:\SRM\rbacx folder folder and extract it using jar utility. (Take a backup of rbacx.war before extracting it).
• Move the export, import folder from sample folder, indexes folder , reports folder and conf folder of your SRM Installable to E:\SRM.
• Create another folder called logs under E:\SRM. So, structure of your RBACX_HOME
(E:\SRM) would look like this:
.indexesconfexportimportlogsrbacxreportsRM_5.0• Move jdbc.properties file from E:\SRM\conf\oracle to E:\SRM\conf and update the database details.
• Open the iam.properties file and change the location of export and import folder to E:\SRM\import & E:\SRM\export.
• Navigate to E:\SRM\rbacx\WEB-INF folder (folder where you have extracted the rbacx.war).
• Copy the two jar file downloaded in Section 2 to E:\SRM\rbacx\WEB-INF\lib folder.
• Open the log4j.properties present under E:\SRM\rbacx\WEB-INF folder and edit the following property as mentioned below:
log4j.appender.file.file=E:\SRM\logs\rbacx.log
• Open the Weblogic console and click on deployment (Lock & Edit if required) and browse
to E:\SRM\rbacx folder. Make sure that you see all the files under rbacx folder.
• Make sure that name of deployment is rbacx and deploy it as an application.
• Click Finish and Save. Click Activate Changes if required.
• Click Deployments, select rbacx and then Click Start > Servicing all Requests.
• Click Yes to start the deployment. A status of Start Running indicates that SRM has been deployed successfully. The status will then get changed to Active.
• Open browser and type URL to access SRM Console.
• Use "rbacxadmin" as username and "password" as password to login and we are done.
I was able to complete the installation using above steps in 15minutes and hope that whoever reads and follows the above mentioned steps could do it in same time.
Regards,
SunShine
Here it goes:
Here it goes:
1. Preparing Oracle DatabaseExecute following sql files:
• rbacx-5.0.0_oracle_schema.sql
• migrate-rbacx-5.0.0To5.0.1-oracle.sql
2. Download Third Party Jar Files• jasper-jdt.jar
• ojdbc14.jar
3. Preparing Application ServerCopy ojdbc14.jar in lib folder of your weblogic applicaiton Server
4. Installing Sun Role Manager 5.0.3• Create a folder E:\SRM, this will be your RBACX_HOME.
• Create another folder RM_5.0 under E:\SRM and unzip the SRM Installable under this
RM_5.0 folder.
• Create another folder named rbacx under RBACX_HOME.
• Copy the rbacx.war file from E:\SRM\RM_5.0 to E:\SRM\rbacx folder folder and extract it using jar utility. (Take a backup of rbacx.war before extracting it).
• Move the export, import folder from sample folder, indexes folder , reports folder and conf folder of your SRM Installable to E:\SRM.
• Create another folder called logs under E:\SRM. So, structure of your RBACX_HOME
(E:\SRM) would look like this:
.indexesconfexportimportlogsrbacxreportsRM_5.0• Move jdbc.properties file from E:\SRM\conf\oracle to E:\SRM\conf and update the database details.
• Open the iam.properties file and change the location of export and import folder to E:\SRM\import & E:\SRM\export.
• Navigate to E:\SRM\rbacx\WEB-INF folder (folder where you have extracted the rbacx.war).
• Copy the two jar file downloaded in Section 2 to E:\SRM\rbacx\WEB-INF\lib folder.
• Open the log4j.properties present under E:\SRM\rbacx\WEB-INF folder and edit the following property as mentioned below:
log4j.appender.file.file=E:\SRM\logs\rbacx.log
• Open the Weblogic console and click on deployment (Lock & Edit if required) and browse
to E:\SRM\rbacx folder. Make sure that you see all the files under rbacx folder.
• Make sure that name of deployment is rbacx and deploy it as an application.
• Click Finish and Save. Click Activate Changes if required.
• Click Deployments, select rbacx and then Click Start > Servicing all Requests.
• Click Yes to start the deployment. A status of Start Running indicates that SRM has been deployed successfully. The status will then get changed to Active.
• Open browser and type URL to access SRM Console.
• Use "rbacxadmin" as username and "password" as password to login and we are done.
I was able to complete the installation using above steps in 15minutes and hope that whoever reads and follows the above mentioned steps could do it in same time.
Regards,
SunShine
Subscribe to:
Posts (Atom)