4 Replies Latest reply: Oct 15, 2012 12:13 AM by Sagar RSS

    oim 11g r2 access policy related

    968113
      Hi all,

      I manually created one user profile with country as India, after which I created a role (developer) and access policy based on rule(if country=us). So my doubt is whenever the country changes to us the role gets applied but does the attributes of RO(resource object) parent form super impose the attributes in user profile.
        • 1. Re: oim 11g r2 access policy related
          Dhananjay Neeraj2
          I manually created one user profile with country as India, after which I created a role (developer) and access policy based on rule(if country=us).

          You don't create access policies based on any rules... You actually attach access policy to some Role which was assigned to the user by virtue of its satisfying some rule. So, Role Developer means country=US (or country=us... I think in OIM 11g Case matters)



          So my doubt is whenever the country changes to us the role gets applied


          Yes... whenever the country changes to us the role gets applied



          but does the attributes of RO(resource object) parent form super impose the attributes in user profile.


          The wordings of this part is not clear...
          If I am correctly understanding, you are asking whether the value specified in the Process Form of Access Policy takes precedence to the value specified in the user profile...

          Answer is YES...

          So, if the Access Policy attached to Role Developer is edited and the process form value is changed to say, UD_ABCD_COUNTRY='CANADA' (i.e. neither India nor US), the Resource Object will have UD_ABCD_COUNTRY='CANADA' even if the user profile USR_UDF_CONUTRY=US"
          • 2. Re: oim 11g r2 access policy related
            Nishith Nayan
            yes, Whenever country change on user profile to US the role is applied, the Access Policy will be triggered and the Resource get provisioned.

            But if you again change the country value on User profile. again the rule will be evaluated and role will be de-attached hence the provisioned resource will be revoked. But It may not happen instantly as there is OOTB scheduled task "Evaluate User Policy". Once this scheduled task execute it will decide what to do as per given rule.This is already scheduled but you can execute any point of time if required.

            ex: user=user1, country=us, role=role1, resource attached on access policy for role role1= AD User then

            user1 will be assigned to role1 group/role and the "AD User" resource will be provisioned.

            Now assume country change from 'us' to 'India' then the user policy will be evaluated and the given role role1 will be de-attached. Hence the "AD User" resource will be Revoked.


            So my doubt is whenever the country changes to us the role gets applied but does the attributes of RO(resource object) parent form super impose the attributes in user profile.

            your doubt is not quite clear. However if you change country on process form directly there is no impact on Access policy untill you have not re-directed the Process form->country back to user profile.

            If you have doubt share again
            • 3. Re: oim 11g r2 access policy related
              Saurabh Tripathi
              Hi,

              It doesn't directly super impose the values. If there is any change task is in the RO workflow for country then it must flow the value to the RO profile.

              Thanks,
              Saurabh
              • 4. Re: oim 11g r2 access policy related
                Sagar
                Yes, attribute from access policy will be populated first, before pre-populate (pre-populating data from user profile) on process form.