9 Replies Latest reply: Mar 1, 2012 3:25 PM by Franco Camporeale RSS

    Resource object management through Access Policy without revoking accounts

    Franco Camporeale
      Hi,

      We're working with OIM 11.1.1.5. We're trying to implement it using access policies as a way to have some sort of role based control in place.

      We're under strict regulation to not delete ANY account on the production environment under any circumstances, and that includes OIM accounts as well as the resources we managed from it. We can only disable users, so for example we've set the system property XL.UserDeleteDelayPeriod to 100 years to make sure no user o process removes an identity.

      We've decided that each user can have only one "business role" (which is simply a category of roles that have access policies associated) at a time, which determines what resource objects the identity gets. We need to set "Revoke if no longer applies" to true because if we changed a user's role to a role with less resources in the access policy he should not longer have access to some ROs. But on the other hand, we can't allow for the target accounts to be deleted. And, to make matters worse, we can't create several instances for the same RO.

      So, 2 problems arise: first, we need access policies to disable instead of revoking the accounts when the role is taken off the user, and second, when a new role is applied and the access policy grants the same RO it should enable the one that already exists.

      I started working on a solution by modifying the Active Directory connector to make the "Delete User" task use the "ADCS disable user" adapter, and i mapped the task status "C" to "Disabled", but when i remove the role the object status for the AD RO is still "Revoke" (even though the account in AD is only disabled). As for the second problem, i still haven't figured out how to enable a RO through access policy and would like to know if it's possible. Has anybody run into this kind of requirements before?

      Please let me know if some clarification is needed. Thanks!
        • 1. Re: Resource object management through Access Policy without revoking accounts
          Kevin Pinsky
          You are going to run into an issue where a revoke is going to cancel all the tasks within a user's resource instance. You need to prevent this from happening by not triggering a revoke, but a disable instead. Off hand, the only thing i can think of is an event handler tied to the OIM Role and code that will determine if the user needs to be disabled and then use the API to trigger disable. If you are unable to perform a disable instead of revoke, the cancelled tasks will probably be a large issue.

          This can hopefully be a start to finding a solution.

          -Kevin
          • 2. Re: Resource object management through Access Policy without revoking accounts
            Saurabh Tripathi
            Hi ,

            Don't modify delete tasks , you need to change the tasks attached in the undo/Recovery tab of unconditional task (By default create user ) in your workflow, by default it is delete user just change it to disable user.
            I am sure it will work.

            Thanks,
            • 3. Re: Resource object management through Access Policy without revoking accounts
              Gyanprakash Pandey
              Attach disable user task in undo/recovery tab of your task.

              regards,
              GP
              • 4. Re: Resource object management through Access Policy without revoking accounts
                Nishith Nayan
                yes aggree once you set XL.UserDeleteDelayPeriod to 100 it will disable instead of delete. That's how the OIM 11g disablement works.
                But, In your case user is getting revoked because, connector is desinged in such a way. By default delete user task attached on undo/recovery tab of crete user task. just open create user task-> click on undo/recovery tab->remove the attached "delete user" task and assign "Disable User" task here.

                In this case once role revoked RO will be "Disabled" and once Role assigned to this user RO will be "Enabled"


                --nayan                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
                • 5. Re: Resource object management through Access Policy without revoking accounts
                  Franco Camporeale
                  Hi Kevin, thanks for the tip. One question though, the approach you describe works only if i don't use access policies, right?
                  I mean, on that scenario i would create event handlers for the add and remove roles events that would check the role name and determine provision/deprovision of resources...
                  i'm starting to think that there's no way to modify the access policies behavior to disable/enable resources and most of the logic we want to implement should be written from scratch on event handlers...
                  • 6. Re: Resource object management through Access Policy without revoking accounts
                    Kevin Pinsky
                    You could always create an enhancement request SR with oracle to request that rather than "Revoke if no longer applies", they could add a "Disable if no longer applies".

                    You can enable all the debugging you can find and try and find the event handler action for the Access Policy action. Maybe attach an event handler here.

                    -Kevin
                    • 7. Re: Resource object management through Access Policy without revoking accounts
                      Franco Camporeale
                      Hi Nayan,
                      I just tried modifying the "create user" task for undo/recovery. It works as you and the other guys said. But, there's a problem, when i remove the role and the access policy revoke kicks in,even when the RO status is now "Disabled" all task inside the instance are canceled as Kevin mentioned, so even if i try to enable the ro manually, it fails. There seems to be no way around it...
                      • 8. Re: Resource object management through Access Policy without revoking accounts
                        Nishith Nayan
                        you can try some workaround like

                        1. uncheck revoked if they no longer apply option from access policy
                        2. write a post process event handler on delete, which will disable RO using OIM API

                        I haven't verified but try it out may it work.

                        --nayan                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
                        • 9. Re: Resource object management through Access Policy without revoking accounts
                          Franco Camporeale
                          Nayan, thanks for the suggestion, seems as good a place to start as any. I think i still should have to create another event handler to enable the RO when i give the user a new role with an AP that grants the same resource. Do you have some API examples or links i could use to create these adapters? Thanks.