I have configured IAM 11gR2P3 to check out its features and differences as compared to earlier version. For other OIM articles, please see here.
In this blog I will check the Access Policy based provisioning feature of Oracle Identity Manager. The Access Policy based provisioning allows you to automate the provisioning based on what roles users have. Approvals can be attached if required for the provisioning as well.
a) Lets assume that Company A is all set to extend the provisioning solution to accommodate extra applications coming onboard from Company B acquisition.
b) Company B has a HR solutions where the new employees are on boarded. Company A is looking for an automated provisioning solution which will provision their employees into the corporate LDAP. Every employee needs to have an account in corporate LDAP. Further if the employees leave the organisation they would like to automatically de provision the users from corporate LDAP and any other systems that employee has account.
So to achieve this are going to :-
a) Create Access Policy
b) Create Role Membership Rule
c) Associate Role with Access Policy
d) Test it by onboarding a user in Company B HR System.
Note that This automated provisioning and de provisioning is completely role based.
Create Access Policy
- Navigate to OIM Sysadmin console in a new browser window and login as admin.
- Click Access Policies under Policies. A new pop up window will open. You might needs to unblock pop-ups.
- Click on Create Access Policy.
- Fill out the details :-
Note: If you already have some other Access Policy Created , then One greater than the Current lowest priority
- From the list of resources, select LDAP User and click on Add.
- Fill up the form and select as appropriate. Select Set Additional Data.
- In the Group Name field, click on search. –> A new screen with all the available Groups pops up.–> Click on the Next link until you are navigated to the last screen.–> Select the following group. –> Enterprise Directory – OUD~Vacation Tool
- Click on ADD
- And repeat the same steps to add the following groups. These are the groups that will be assigned to the provisioned users as Entitlements.
Enterprise Directory – OUD~VPN Access
Enterprise Directory – OUD~Information Systems
Enterprise Directory – OUD~Denver
Enterprise Directory – OUD~Employee Portal
- Click on Continue.; In the Role selection screen click on Continue.; Select the radio button under Disable if no longer applies (DNLA) choice.When the employee leaves the Organization Access Policy based provisioning also allows us to either Disable the account on the target system or revoke the account on target according to requirement.
- Click on Continue. We do not want to deny any resources using this Access Policy.
- Review and Click on Create Access Policy.
Create Role Membership Rule
- Login to Identity Console as Admin. Click on Manage then on the Roles Image.
- Search for Employee role.
- Navigate to Members sub tab and Click on Create Membership Rule button to open the Rule Builder.
- Scroll down to find User Type. Select it and Click on Add. For the Value of String enter the Full-Time.
- Click on Preview Results Tab and you should see the Members added to this role as part of the rule we just created.
- Important thing to note here is that The role membership is not evaluated immediately. Click on Evaluate membership rule now Button and click on Apply button.
- Click on Rule Based Members you should see the members for this role now.
I have created a Access Policy and Role based on Membership Role. In the next blog we will continue and Associate Role with Access Policy. Hope it helps!!