How To : Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation?

Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation?

Currently policy engine is able to manage life cycle of the resource only if the Resource Object is provisioned via OIM access policy.

If the resource is reconciled, OIM does not retrofit the data of the reconciled resource with the existing access policies. This means that OIM can not manage those users with access policy. This is also true when the users are obtained either through trusted reconciliation or target reconciliation. Please note that OIM has no way of knowing how accounts were created before OIM was deployed.

It is possible that before OIM was integrated with the target, accounts were created directly in the target based on policies, requested or delegated administrator based direct assignment or any other means ( like bulk upload from HR system or some other application or some meta-directory product). OIM cannot start de-provisioning accounts or entitlement assignments only because the new policies defined in OIM would not provision the account/entitlement to the user. Access policies can only do additional entitlement assignment for accounts discovered by recon. Additionally, once new accounts are provisioned from OIM, OIM knows the context for how they were provisioned and so can correctly de-provision accounts based on "revoke if no longer applies" flag.

One way to do this is to cleanse the existing data before integrating into OIM or run manual attestation in OIM to cleanse the data. Once the data is cleansed and uploaded in OIM, from thereon OIM can be configured to manage the accounts.

Regards,
SunShine