12 Replies Latest reply: Mar 24, 2009 11:39 AM by 646047 RSS

    The Access Policy and Role in OIM

    630212
      In OIM,we can assign user to User Groups(role),and the access policy attached to the User Group can be applied to the user automatically. But I find that there is no change occurs to the provisioned user after I modify the relevant access policy(eg,the access permission of other resource). Why?
      Because I want to implement a function as follows: If there are any changes in role(the permit or deny of access to the resouce), it should be applied to the provisioned users automatically who have been assigned to the role.The product does not support the operation or I fogot some configs?
        • 1. Re: The Access Policy and Role in OIM
          613679
          I am not 100% sure I understand your question but in general the thing you are looking for is supported as a part of the policy.

          There is a setting on the policy that controls if a change to the access policy should be reflected to the users that are currently impacted by the policy. It sounds like you didn't find that check box. Please take another look at the policy definition screens.

          Hope this helps
          /M
          • 2. Re: The Access Policy and Role in OIM
            630212
            Hi,Martin

            I guess the check box what you mentioned is "Retrofit access policy". I had checked it in my previous operation.But there was no impact on provisioned users after I modified the access policy. I don't know why.

            Thanks a million!
            • 3. Re: The Access Policy and Role in OIM
              Pinks
              There is an ootb scheduled task that needs to be run "Set User Provisioned Date" to provision new resources to existing users in the group (after updating the access policy) If resources have to be revoked then the other scheduled task needs to be run i.e. Set User DeProvisioned Date.
              • 4. Re: The Access Policy and Role in OIM
                Pinks
                the above task schedulers need to be run after checking the retrofit access policy checbox on the access policy on the web gui.
                • 5. Re: The Access Policy and Role in OIM
                  630212
                  At first,Thanks for your suggestion.
                  I had run the scheduled tasks just according to your above description,I found that if I added or removed resource from the Access Policy,it would be applyed to the provisioned users in the group. But if I only modified some attribute value(such as department) of the current Resource's process form,there was no change occured, even if the scheduled tasks had been run.But if I modified the attribute value of current Resource's child form,the info would be updated.I don't know why?Maybe the config is different between process form and its child form?

                  For your information,the resource I mentioned above is OID,and the child form is OID UserGroup.

                  Thanks!
                  • 6. Re: The Access Policy and Role in OIM
                    Pinks
                    i havent really tried it at the attribute levels but i think what you mentioned might just be a bug. try doing it with any other basic resource like say ad or ldap resource to ascertain that it is a bug
                    • 7. Re: The Access Policy and Role in OIM
                      646047
                      I'm trying to do exactly the same. My resource is SunOne LDAP server.

                      I'm trying to include a LDAP user into a LDAP group by access policies. The users already exists in OIM, and all of them have an account in the LDAP server. So, I'm trying ti inlude some of them into an OIM grupo, and then with access policies include their correspondent LDAP acount into one group.

                      But it does not work.

                      Any ideas?

                      LDAP groups are configured as in OID or AD resource, in a child table.
                      • 8. Re: The Access Policy and Role in OIM
                        Kevin Pinsky
                        Is the access policy applying to the user? What is the error message you get in your logs?

                        -Kevin
                        • 9. Re: The Access Policy and Role in OIM
                          646047
                          Yes, the user is applying the policy (the OIM user is member of the OIM group which fires the policy).

                          I have no errors in the log. It seems that the Access Policy is doing nothing. Maybe Access Policies does not work with child tables... so it is not possible to provision groups in resources by access policies.
                          • 10. Re: The Access Policy and Role in OIM
                            Kevin Pinsky
                            Did you save the values on the access policy for the child table? Even if you add the values, you must click the save when completed.

                            -Kevin
                            • 11. Re: The Access Policy and Role in OIM
                              646047
                              I was surfing metalink, and I've found something that solves my problem

                              Subject: Access Policy Does not Appear to Fire
                              Doc ID: 763317.1

                              My problem was that the child table active version wasn't the same version that the child table configured in the parent form. The steps I've followed are:

                              1.-Logon to the Design Console as xelsysadm.
                              2.-Open the Form Designer and open the parent form for this use case.
                              3.-Click on the Child Tables tab.
                              4.-Take note of the version number shown for the child entry.
                              5.-Now open the child form previously listed in the Child Tables tab of the parent form.
                              6.-Take note of the version of this form that is shown as the active version.
                              7.-Ensure that the version of the child form listed in the Child Tables tab of the parent form is the current active version of the child.
                              8.-Retest the issue.
                              9.-Migrate the solution as appropriate to other environments.

                              Making both the same version solves the problem.

                              Thanks a lot!!
                              • 12. Re: The Access Policy and Role in OIM
                                646047
                                Hi again.

                                Access policies work with child tables, to add users to group or roles in resources.
                                But, does it work also for modifying resource attibutes? I mean, an access policy that writes a custom value to an attribute, in the resource form. So, this value is written to the resource by the connector.

                                Is it possible?
                                I've tryied it in my enviromnent but it does not work. It works for groups, but not for attributes in the resource form (parent form, not child form).

                                Cheers.