Access policies are a list of roles and the resources with which roles are to be provisioned or deprovisioned. Access policies are defined using Create Access Policy and Manage Access Policies menu items in Oracle Identity Manager Administrative and User Console.
This chapter describes how to create and use access policies for users and resources in Oracle Identity Manager.
This chapter discusses the following topics:
This section describes the various features offered by the policy engine.
Whenever an access policy is applied, the resources are directly provisioned to the user without the any request being generated.
Oracle Identity Manager access policies are not applied to subroles. Policies are only applied to direct-membership users (that is, users who are not in subroles) in the roles that are defined on the access policies. You can specify if a resource in a policy must be revoked when the policy no longer applies. If you do so, then these resources are automatically revoked from the users by Oracle Identity Manager when the policy no longer applies to the users.
While creating an access policy, you can select resources to be denied along with resources to be provisioned for roles. If you first select a resource for provisioning and then select the same resource to be denied, then Oracle Identity Manager removes the resource from the list of resources to be provisioned. If two policies are defined for a role in which one is defined to provision a resource and the other is defined to deny the resource, then Oracle Identity Manager does not provision the resource irrespective of the priority of the policies.
In Oracle Identity Manager, access policies can be evaluated in the following scenarios:
When a user is made a part of a role or removed from a role
The policy for the user is evaluated as part of the add or remove operation.
If the retrofit flag is set for the policy
These evaluations do not happen immediately after the action. Instead, they happen during the next run of the Evaluate User Policies schedule task. The evaluations can happen in the following scenarios:
Policy definition is updated so that the retrofit flag is set to ON. Policies are evaluated for all applicable users.
A role is added or removed from the policy definition. Policies are evaluated only for roles that is added or removed.
A resource is added, removed, or the Revoke If No Longer Applies flag value is changed for the resource. Policies are evaluated for all applicable users.
When policy data is updated or deleted. This includes both parent and child form data. Policies are evaluated for all applicable users.
Policy priority is a numeric field containing a number that is unique for each access policy you create. The lower the number, the higher is the priority of the access policy. For example, if you specify Priority =1, it means that the policy has the highest priority. When you define access policies through Oracle Identity Manager Administrative and User Console, the value 1 is always added to the value of the current lowest priority and the resultant value is automatically populated in the Priority field. Changing this value to a different number might result in readjusting the priority of all the other access policies, thus ensuring that the priorities remain consistent. The following actions are associated with the priority number:
If the priority number entered is less than 1, then Oracle Identity Manager will change the value to 1 (highest priority).
If the priority number entered is greater than M, in which M is the current lowest priority, then Oracle Identity Manager will specify the value as less than or equal to M+1.
Two access policies cannot have the same priority number. Therefore, assigning an already existing priority number to an access policy will lower the priority by 1 for all policies of lesser priority.
Conflicts can arise from multiple access policies being applied to the same user. Because a single instance of a resource is provisioned to the user through access policies, Oracle Identity Manager uses the highest priority policy data for a parent form. For child forms, Oracle Identity Manager uses cumulative records from all applicable policies.
There are multiple ways in which process form data is supplied for resources during provisioning. The following is the order of preference built into Oracle Identity Manager:
Default values from the form definition
Values obtained through data flow from data set to process form
Access policy data if resource is provisioned because of a policy
Data updated by Process Task or Entity Adapters
If a given option is available, then the rest of the options that are at a lower order of preference are overridden. For example, if Option 4 is available, then Options 3, 2, and 1 are ignored.
You can define an access policy for provisioning resources to users who have roles defined in the policy by using the Access Policy Wizard.
To create an access policy:
To open the Create Access Policies page, in the left pane of Oracle Identity Manager Administrative and User Console, click Create Access Policy.
The Create Access Policy page is displayed.
Enter information in the required fields indicated with an asterisk (*) and click Next.
Select Retrofit Access Policy to retrofit this access policy when it is created.
Note:If you select Retrofit Access Policy, then the access policy is applied to all existing roles that you select in Step 12 of this procedure.
If you do not select this option, then existing role memberships are not taken into consideration.
The Create Access Policy - Step 2: Select Resources (to provision) page is displayed.
Specify the resource to be provisioned for this access policy.
Search for resources by using the filter search menu.
Select the name of the resource from the results table, and then click Add.
The names of the desired resources to provision appear in the Selected list. If you want to create an access policy that only denies resources, click Continue without selecting a resource.
To unassign the selected resources, highlight the resource in the Selected list and click Remove.
If there is a form associated with this resource, the subsequent pages display the required fields. Otherwise, the Create Access Policy - Step 2: Select Resources to Revoke page is displayed. It is strongly recommended that you do not specify policy defaults for passwords and encrypted attributes.
Specify whether or not access policies are to be revoked if they no longer apply.
Select the check boxes for the resources you want to revoke automatically from the results table.
The Create Access Policy - Step 3: Selected Resources (to deny) page is displayed.
Use this page to select resources to be denied by this access policy.
To select resources to be denied:
Select the resources from the results table.
Click Add to place the resource in the Selected list.
You must select at least one resource to deny if you have not selected any resources to be provisioned. Selecting the same resources to be denied as to be provisioned will automatically unassign them from the resources to be provisioned selection.
Similarly, in Step a, assigning the same resources to be provisioned as you have already selected to be denied will automatically remove them from the resources to be denied selection. You can remove the resources that were selected to be denied. You do this by selecting those resources from the Selected list, and clicking Remove.
The Create Access Policy - Step 4: Select Roles page is displayed.
Use the Create Access Policy - Step 4: Select Group page to associate a group with the access policy.
Select the group/role from the results table, and then click Add. You must select at least one group/role. The names of the selected group/roles appear in the Selected list.
You can delete the group name by clicking Remove.
The Create Access Policy - Step 5: Verify Access Policy Information page is displayed.
If you want to modify any of the selections you made in the preceding steps of this procedure, then click Change to go to the corresponding page of the wizard. After making the required modifications, click Continue to return to the Step 5: Verify Access Policy Information page.
Click Continue to create the access policy.
Note:When you create an access policy on a resource having a process form with Password field, the password policy is not evaluated. For information about password policies, see Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
You can use Oracle Identity Manager Administrative and User Console to modify information in existing access policies.
To manage access policies:
Click Manage Access Policies under the Policies menu.
The Manage Access Policies page is displayed.
Use the menu in the search criteria field to select an access policy attribute. You can use the asterisk (*) wildcard character to search for all access policy instances that have any value for the attribute selected. Click Search Access Policies.
The Manage Access Policies page is displayed with your search results.
To view the details of the Access Policy you want, click Access Policy Name.
The Access Policy Details page is displayed.
To make modifications to this access policy, use the Change link at the end of each selection category.
After you make the required modifications, click Update Access Policy.
This access policy is updated, and the updated information is displayed on the Access Policy Details page.