3 Replies Latest reply: Nov 7, 2012 11:27 AM by gbw RSS

    User disabled until start date not getting ROs provisioned via AP

    856157
      Here's the situation: I have a user in OIM that is disabled until start date. When the start date rolls around, and the job "Enable User After Start Date" runs followed by "Evaulate User Policies," the user is correctly enabled and the correct role gets assigned but the access policy associated with that role does not appear to get triggered so the APs resources are not assigned. However, if a user is entered the same way (via HR recon) but is on or after its start date, then the role gets assigned, the access policy fires, and the ROs are provisioned just fine.

      I have noticed that if a user is moved from disabled to enabled, then the membership rules fire and any roles associated with the rules get assigned but in the DB the field USR_POLICY_UPDATE remains null. If I update that field with a '1' and re-run "Evaluate User Policies," the resources are provisioned correctly.

      I am wondering if anyone has seen this before or has a suggestion as to how to resolve this.

      Thanks,

      Stephen
        • 1. Re: User disabled until start date not getting ROs provisioned via AP
          gbw
          Have you tried setting the "Retrofit Access Policy" to Yes? If the role is correctly assigned to the user, the "Evaluate User Policies" task should assign the ROs to the user.
          • 2. Re: User disabled until start date not getting ROs provisioned via AP
            856157
            Thanks for the suggestion. As it turned out, I did not have Retrofit checked but unfortunately that did not resolve the issue. The behavior remained the same after checking and re-running 'Evaluate User Policies'.

            I may have a workaround for this issue that I am in the process of implementing. I'm creating a job that will run right before 'Enable User After Start Date' that will update the USR_POLICY_UPDATE field to'1' if the status of a user is 'Disabled Until Start Date.' Then the user will get enabled, assigned the appropriate roles via rules, and 'Evaluate User Policies' should run and now find this user and apply the access policies.

            Anyway, seems like there should be a simpler answer so I'll keep checking here if anyone has one. I'll also update if the above workaround works.

            Thanks,

            Stephen
            • 3. Re: User disabled until start date not getting ROs provisioned via AP
              gbw
              I've seen that happen before... try one other thing to test, go ahead and perform a modify on the user who has the role, and not the resource(s). Login as xelsysadm, look the user up, edit the Description field or some other attribute, and click apply. Let me know if this then provisions the resource(s) to the user.

              If this works, you can do a bulk modify of users (Advanced Search-> Select Multiple Users -> Bulk Modify button) to toggle an attribute back and forth. This should trigger the RO provisioning.