This content has been marked as final. Show 4 replies
I manually created one user profile with country as India, after which I created a role (developer) and access policy based on rule(if country=us).
You don't create access policies based on any rules... You actually attach access policy to some Role which was assigned to the user by virtue of its satisfying some rule. So, Role Developer means country=US (or country=us... I think in OIM 11g Case matters)
So my doubt is whenever the country changes to us the role gets applied
Yes... whenever the country changes to us the role gets applied
but does the attributes of RO(resource object) parent form super impose the attributes in user profile.
The wordings of this part is not clear...
If I am correctly understanding, you are asking whether the value specified in the Process Form of Access Policy takes precedence to the value specified in the user profile...
Answer is YES...
So, if the Access Policy attached to Role Developer is edited and the process form value is changed to say, UD_ABCD_COUNTRY='CANADA' (i.e. neither India nor US), the Resource Object will have UD_ABCD_COUNTRY='CANADA' even if the user profile USR_UDF_CONUTRY=US"
yes, Whenever country change on user profile to US the role is applied, the Access Policy will be triggered and the Resource get provisioned.
But if you again change the country value on User profile. again the rule will be evaluated and role will be de-attached hence the provisioned resource will be revoked. But It may not happen instantly as there is OOTB scheduled task "Evaluate User Policy". Once this scheduled task execute it will decide what to do as per given rule.This is already scheduled but you can execute any point of time if required.
ex: user=user1, country=us, role=role1, resource attached on access policy for role role1= AD User then
user1 will be assigned to role1 group/role and the "AD User" resource will be provisioned.
Now assume country change from 'us' to 'India' then the user policy will be evaluated and the given role role1 will be de-attached. Hence the "AD User" resource will be Revoked.
So my doubt is whenever the country changes to us the role gets applied but does the attributes of RO(resource object) parent form super impose the attributes in user profile.
your doubt is not quite clear. However if you change country on process form directly there is no impact on Access policy untill you have not re-directed the Process form->country back to user profile.
If you have doubt share again