| Oracle® Identity Manager Administrative and User Console Guide Release 9.1.0 Part Number E10360-03 |
|
|
View PDF |
| Oracle® Identity Manager Administrative and User Console Guide Release 9.1.0 Part Number E10360-03 |
|
|
View PDF |
Access policies are a list of user groups and the resources with which users in the group are to be provisioned or deprovisioned. Access policies are defined using the Access Policies menu item in the Oracle Identity Manager Administrative and User Console.
This chapter describes how to create and use access policies for users, organizations, and resources in Oracle Identity Manager.
This chapter discusses the following topics:
This section describes the various features offered by the policy engine.
Provisioning Options
While defining policies, you can specify whether you want resources in a particular policy to be provisioned with or without approval. If an access policy of type with approval is applied to a user and if the access policy specifies that resources be provisioned, then Oracle Identity Manager generates a request. This request must be approved before the user gets the resources. Without the approval option, whenever an access policy is applied, the resources are directly provisioned to the user without any request being generated.
Revoking the Policy
Oracle Identity Manager access policies are not applied to subgroups. Policies are only applied to direct-membership users (that is, users who are not in subgroups) in the groups that are defined on the access policies. You can specify if a resource in a policy must be revoked when the policy no longer applies. If you do so, then these resources are automatically revoked from the users by Oracle Identity Manager when the policy no longer applies to the users.
Denying a Resource
While creating an access policy, you can select resources to be denied along with resources to be provisioned for groups. If you first select a resource for provisioning and then select the same resource to be denied, then Oracle Identity Manager removes the resource from the list of resources to be provisioned. If two policies are defined for a group in which one is defined to provision a resource and the other is defined to deny the resource, then Oracle Identity Manager does not provision the resource irrespective of the priority of the policies. If policies are defined to deny resources to users belonging to a group, then the resources will not be made available for selection during request-based or direct provisioning to these users.
Evaluating Policies
In Oracle Identity Manager, access policies can be evaluated in the following scenarios:
When a user is made a part of a group or removed from a group
The policy for the user is evaluated as part of the add or remove operation.
If the retrofit flag is set for the policy
These evaluations do not happen immediately after the action. Instead, they happen during the next run of the Set User Provisioned Date schedule task. The evaluations can happen in the following scenarios:
Policy definition is updated so that the retrofit flag is set to ON. Policies are evaluated for all applicable users.
A group is added or removed from the policy definition. Policies are evaluated only for users of the group that is added or removed.
A resource is added, removed, or the Revoke If No Longer Applies flag value is changed for the resource. Policies are evaluated for all applicable users.
When policy data is updated or deleted. This includes both parent and child form data. Policies are evaluated for all applicable users.
Access Policy Priority
Policy priority is a numeric field containing a number that is unique for each access policy you create. The lower the number, the higher is the priority of the access policy. For example, if you specify Priority =1, it means that the policy has the highest priority. When you define access policies through the Administrative and User Console, the value 1 is always added to the value of the current lowest priority and the resultant value is automatically populated in the Priority field. Changing this value to a different number might result in readjusting the priority of all the other access policies, thus ensuring that the priorities remain consistent. The following actions are associated with the priority number:
If the priority number entered is less than 1, then Oracle Identity Manager will change the value to 1 (highest priority).
If the priority number entered is greater than M, in which M is the current lowest priority, then Oracle Identity Manager will specify the value as less than or equal to M+1.
Two access policies cannot have the same priority number. Therefore, assigning an already existing priority number to an access policy will lower the priority by 1 for all policies of lesser priority.
Conflicts can arise from multiple access policies being applied to the same user. Because a single instance of a resource is provisioned to the user through access policies, Oracle Identity Manager uses the highest priority policy data for a parent form. For child forms, Oracle Identity Manager uses cumulative records from all applicable policies.
Access Policy Data
There are multiple ways in which process form data is supplied for resources during provisioning. The following is the order of preference built into Oracle Identity Manager:
Default values from the form definition
Organization defaults
Values obtained through data flow from object form to process form
Prepopulate adapters
Access policy data if resource is provisioned because of a policy
Data updated by Process Task or Entity Adapters
If a given option is available, then the rest of the options that are at a lower order of preference are overridden. For example, if Option 4 is available, then Options 3, 2, and 1 are ignored.
You can define an access policy for provisioning resources to user groups and users by using the Access Policy Wizard.
To create an access policy:
To open the Create Access Policies page, in the left pane of Administrative and User console, click Access Policies.
Click Create.
The Create Access Policy page is displayed.
Enter information in the required fields indicated with an asterisk (*).
Select With Approval to require a defined approver or proxy user to approve the resource to be provisioned to the user or group.
Select Without Approval if no approval is required.
Select Retrofit Access Policy to retrofit this access policy when it is created.
Note:
If you select Retrofit Access Policy, then the access policy is applied to all existing users of the groups that you select in Step 12 of this procedure.If you do not select this option, then existing group memberships are not taken into consideration.
Click Continue.
The Create Access Policy - Step 2: Select Resources (to provision) page is displayed.
Specify the resource to be provisioned for this access policy.
Search for resources by using the filter search menu.
Select the name of the resource from the results table, and then click Add.
The names of the desired resources to provision appear in the Selected list. If you want to create an access policy that only denies resources, click Continue without selecting a resource.
To unassign the selected resources, highlight the resource in the Selected list and click Remove.
Click Continue.
If there is a form associated with this resource, the subsequent pages display the required fields. Otherwise, the Create Access Policy - Step 2: Select Resources to Revoke page is displayed. It is strongly recommended that you do not specify policy defaults for passwords and encrypted attributes.
Specify whether or not access policies are to be revoked if they no longer apply.
Select the check boxes for the resources you want to revoke automatically from the results table.
Click Continue.
The Create Access Policy - Step 3: Selected Resources (to deny) page is displayed.
Use this page to select resources to be denied by this access policy.
To select resources to be denied:
Select the resources from the results table.
Click Add to place the resource in the Selected list.
You must select at least one resource to deny if you have not selected any resources to be provisioned. Selecting the same resources to be denied as to be provisioned will automatically unassign them from the resources to be provisioned selection.
Similarly, in Step a, assigning the same resources to be provisioned as you have already selected to be denied will automatically remove them from the resources to be denied selection. You can remove the resources that were selected to be denied. You do this by selecting those resources from the Selected list, and clicking Remove.
Click Continue.
The Create Access Policy - Step 4: Select Group page is displayed.
Use the Create Access Policy - Step 4: Select Group page to associate a group with the access policy.
To associate a group with this access policy:
Select the group from the results table, and then click Add.
The name of the selected group is displayed in the Selected field. You can delete the group name by using the Remove button.
You can specify user groups for this access policy. You can search for the required user groups by using the filter search menu.
Select the user groups from the results table, and then click Add. You must select at least one user group. The names of the selected user groups appear in the Selected list.
You can unassign the selected user groups by highlighting the resource in the Selected list and then clicking Remove.
Click Continue.
The Create Access Policy - Step 5: Verify Access Policy Information page is displayed.
If you want to modify any of the selections you made in the preceding steps of this procedure, then click Change to go to the corresponding page of the wizard. After making the required modifications, click Continue to return to the Step 5: Verify Access Policy Information page.
Click Continue to create the access policy.
Note:
When you create an access policy on a resource having a process form with Password field, the password policy is not evaluated. For information about password policies, see Oracle Identity Manager Design Console Guide.You can use the Administrative and User Console to modify information in existing access policies.
To manage access policies:
Click Manage under the Access Policies menu.
The Manage Access Policies page is displayed.
Use the menu in the search criteria field to select an access policy attribute. You can use the asterisk (*) wildcard character to search for all access policy instances that have any value for the attribute selected. Click Search Access Policies.
The Manage Access Policies page is displayed with your search results.
To view the details of the Access Policy you want, click Access Policy Name.
The Access Policy Details page is displayed.
To make modifications to this access policy, use the Change link at the end of each selection category.
After you make the required modifications, click Update Access Policy.
This access policy is updated, and the updated information is displayed on the Access Policy Details page.
