OIM-OAM Integration (LDAP Synch): LDAP User Create and Update Reconciliation task Doesn't work

Issue: LDAP User Create and Update Reconciliation task doesn't create/update the user/role in Directory Server

Troubleshooting Notes:

Kevin Pinsky -

When you configure OVD and your Change Log Adapter, you have it configured to only record changes by users in the modifyDNFilter value. To record any changes not made by the admin account, use the value "!(modifiersname=cn=orcladmin)" in the plugin. Now, if you modify a user with an account other than cn=orcladmin, your scheduled task will pick up the latest changelog events and create recon events for them. I assume this would work with newly created users as well. You'll also notice your scheduled task will update the Last Change Number attribute to the last value reconciled.

Manish Gupta

Tactical solution we used was to unlock the users manually in OID (ODSM) or OIM (OIM Console), and run full/incremental reconciliation.

2. Permanent solution was provided by a patch to OIM 11.1.1.5.2, as a reponse to our SR

a. Upgrade the OIM to 11.1.1.5.2 (i.e. BP 02);
b. Apply one off patch # 12390753

Above happned in our case when OAM & OIM were integrated.

Is it Possible to Change the AD Organization Name from an Access Policy?

There is a small confusion in the way access policies work for AD, once an access policy is created and assigned to a group, whenever a user is added to that group, the access policy will be applied to him and AD User resource will be provisioned to him .

Now , if you make an update on the group membership on active directory process form(child form) in the access policy , then it will work and will be updated on the target side, but if you update the Organization name on active directory process form, then it will not be reflected in the target side and in the OIM side.

Now open the Access policy which you created and if you try to change the group membership on active directory process form(child form) in the access policy , then it will work and it will be updated on the target side, but if you update the Organization name on active directory process form,then it will not be reflected in the target side and in the OIM side. Now, one may have a doubt that when a change in the child form is reflected, why does a change in parent form not reflected in the target system .

As per the development the above behaviour is correct , the documentation says "Access policy engine checks if the resource is already provisioned to the user. If it is, then the resource will not be provisioned again. [...] After this, it checks the list of policies being newly added to see if any of them specify child table data for this resource. If they do, then the appropriate child table entries need to be made in the process form for this resource."

This explains why the change in the organization has no effect (resource is not provisioned again) but the change in the child form has an effect (new child table entries are added),so any change in the child form will be reflected but changes to the parent form/organization change will not be reflected.

Regards,
Sunny Ajmera

How To : Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation?

Can Access Policies Manage The Life-cycle Of Users Created via Reconciliation?

Currently policy engine is able to manage life cycle of the resource only if the Resource Object is provisioned via OIM access policy.

If the resource is reconciled, OIM does not retrofit the data of the reconciled resource with the existing access policies. This means that OIM can not manage those users with access policy. This is also true when the users are obtained either through trusted reconciliation or target reconciliation. Please note that OIM has no way of knowing how accounts were created before OIM was deployed.

It is possible that before OIM was integrated with the target, accounts were created directly in the target based on policies, requested or delegated administrator based direct assignment or any other means ( like bulk upload from HR system or some other application or some meta-directory product). OIM cannot start de-provisioning accounts or entitlement assignments only because the new policies defined in OIM would not provision the account/entitlement to the user. Access policies can only do additional entitlement assignment for accounts discovered by recon. Additionally, once new accounts are provisioned from OIM, OIM knows the context for how they were provisioned and so can correctly de-provision accounts based on "revoke if no longer applies" flag.

One way to do this is to cleanse the existing data before integrating into OIM or run manual attestation in OIM to cleanse the data. Once the data is cleansed and uploaded in OIM, from thereon OIM can be configured to manage the accounts.

Regards,
SunShine

How to Delete Access Policy in OIM

The general instructions for removing an Access Policy from a group can be found in the Admin and User Console Guide, Chapter 10 Creating and Managing User Groups. A link to that chapter in the 9.1 version is below:
http://download.oracle.com/docs/cd/E10391_01/doc.910/e10360/usergroups.htm#BACCGCGB

This would remove the policy from the group, but not specifically delete the actual policy itself from the Oracle Identity Manager (OIM) server. There is the existing Enhancement Request Bug 5179943 for providing that complete delete feature and it has been approved for inclusion into the future release of OIM (11g version).

Sun Role Manager 5.0.3 Quick Installation Guide on WebLogic

Although you can found SRM 5.0.3 Installation guide @ http://wikis.sun.com/display/Srm503Docs/Part+II+-+Installing+Sun+Role+Manager but somehow I didn't find it easy enough to wrap the installation in quick 15minutes, so I decided to try it on my own and come up with my own "How to Install SRM 5.0.3 on WebLogic in 15minutes" guide.

Here it goes:


Here it goes:
1. Preparing Oracle DatabaseExecute following sql files:
• rbacx-5.0.0_oracle_schema.sql
• migrate-rbacx-5.0.0To5.0.1-oracle.sql
2. Download Third Party Jar Files• jasper-jdt.jar
• ojdbc14.jar
3. Preparing Application ServerCopy ojdbc14.jar in lib folder of your weblogic applicaiton Server
4. Installing Sun Role Manager 5.0.3• Create a folder E:\SRM, this will be your RBACX_HOME.
• Create another folder RM_5.0 under E:\SRM and unzip the SRM Installable under this
RM_5.0 folder.
• Create another folder named rbacx under RBACX_HOME.
• Copy the rbacx.war file from E:\SRM\RM_5.0 to E:\SRM\rbacx folder folder and extract it using jar utility. (Take a backup of rbacx.war before extracting it).
• Move the export, import folder from sample folder, indexes folder , reports folder and conf folder of your SRM Installable to E:\SRM.
• Create another folder called logs under E:\SRM. So, structure of your RBACX_HOME
(E:\SRM) would look like this:
.indexesconfexportimportlogsrbacxreportsRM_5.0• Move jdbc.properties file from E:\SRM\conf\oracle to E:\SRM\conf and update the database details.
• Open the iam.properties file and change the location of export and import folder to E:\SRM\import & E:\SRM\export.
• Navigate to E:\SRM\rbacx\WEB-INF folder (folder where you have extracted the rbacx.war).
• Copy the two jar file downloaded in Section 2 to E:\SRM\rbacx\WEB-INF\lib folder.
• Open the log4j.properties present under E:\SRM\rbacx\WEB-INF folder and edit the following property as mentioned below:
log4j.appender.file.file=E:\SRM\logs\rbacx.log
• Open the Weblogic console and click on deployment (Lock & Edit if required) and browse
to E:\SRM\rbacx folder. Make sure that you see all the files under rbacx folder.
• Make sure that name of deployment is rbacx and deploy it as an application.
• Click Finish and Save. Click Activate Changes if required.
• Click Deployments, select rbacx and then Click Start > Servicing all Requests.
• Click Yes to start the deployment. A status of Start Running indicates that SRM has been deployed successfully. The status will then get changed to Active.
• Open browser and type URL to access SRM Console.
• Use "rbacxadmin" as username and "password" as password to login and we are done.
I was able to complete the installation using above steps in 15minutes and hope that whoever reads and follows the above mentioned steps could do it in same time.
Regards,
SunShine

CrossWord Corner 22June,09

Hi All,

Being a regular crossword solver, here are few answers to today's crossword published on TOI:

Across:
14. object of worship: idol
16. costa_: rica
26. it will never fly: ewu
32. __ generis: unique: SUI. New to me.
47. Cotton State sculpture?: ALABAMA MOBILE
60: John of England: Elton


Down:
1. Juice drink with a hypenated name: HI-C. Can you believe I've never heard of this brand. I only drink milk & water. Sometimes I drink soup.
3. Minute Particles: Molecules
4. one of the deadly sins: I thought of greed, anger but it turned out to be sloth.
25. Auto with a four ring logo: Audi
52. Big name in video: SEGA
42: Derivatives of it are used in sunscreen: PABA (Para-AminoBenzoic Acid). This word got me again. I wanted ALOE. Dictionary says PABA is "a metabolic acid found in yeast and liver cells; used to make dyes and drugs and sun blockers".
8: Blunt rejection: REBUFF.