This content has been marked as final. Show 9 replies
You are going to run into an issue where a revoke is going to cancel all the tasks within a user's resource instance. You need to prevent this from happening by not triggering a revoke, but a disable instead. Off hand, the only thing i can think of is an event handler tied to the OIM Role and code that will determine if the user needs to be disabled and then use the API to trigger disable. If you are unable to perform a disable instead of revoke, the cancelled tasks will probably be a large issue.1 person found this helpful
This can hopefully be a start to finding a solution.
Hi ,1 person found this helpful
Don't modify delete tasks , you need to change the tasks attached in the undo/Recovery tab of unconditional task (By default create user ) in your workflow, by default it is delete user just change it to disable user.
I am sure it will work.
Attach disable user task in undo/recovery tab of your task.1 person found this helpful
yes aggree once you set XL.UserDeleteDelayPeriod to 100 it will disable instead of delete. That's how the OIM 11g disablement works.1 person found this helpful
But, In your case user is getting revoked because, connector is desinged in such a way. By default delete user task attached on undo/recovery tab of crete user task. just open create user task-> click on undo/recovery tab->remove the attached "delete user" task and assign "Disable User" task here.
In this case once role revoked RO will be "Disabled" and once Role assigned to this user RO will be "Enabled"
Hi Kevin, thanks for the tip. One question though, the approach you describe works only if i don't use access policies, right?
I mean, on that scenario i would create event handlers for the add and remove roles events that would check the role name and determine provision/deprovision of resources...
i'm starting to think that there's no way to modify the access policies behavior to disable/enable resources and most of the logic we want to implement should be written from scratch on event handlers...
You could always create an enhancement request SR with oracle to request that rather than "Revoke if no longer applies", they could add a "Disable if no longer applies".
You can enable all the debugging you can find and try and find the event handler action for the Access Policy action. Maybe attach an event handler here.
I just tried modifying the "create user" task for undo/recovery. It works as you and the other guys said. But, there's a problem, when i remove the role and the access policy revoke kicks in,even when the RO status is now "Disabled" all task inside the instance are canceled as Kevin mentioned, so even if i try to enable the ro manually, it fails. There seems to be no way around it...
you can try some workaround like1 person found this helpful
1. uncheck revoked if they no longer apply option from access policy
2. write a post process event handler on delete, which will disable RO using OIM API
I haven't verified but try it out may it work.
Nayan, thanks for the suggestion, seems as good a place to start as any. I think i still should have to create another event handler to enable the RO when i give the user a new role with an AP that grants the same resource. Do you have some API examples or links i could use to create these adapters? Thanks.