| Oracle® Fusion Middleware User's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) Part Number E14316-06 |
|
|
View PDF |
| Oracle® Fusion Middleware User's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) Part Number E14316-06 |
|
|
View PDF |
Access policies are a list of roles and the resources with which roles are to be provisioned or deprovisioned. Access policies are used to automate the provisioning of target systems to users. This is explained with the help of the following example:
A user belongs to multiple roles created in Oracle Identity Manager. Suppose a role Role1 have membership rule assigned to it. Membership rules can be designed based on the organization that the user belongs to, such as "Organization Name = "Org1". Roles can have access policies assigned to them. An access policies states which resource would be provisioned and/or denied to a role when the access policy is applicable. Therefore, when a user is created in the Org1 organization, it satisfies a membership rule and grants the Role1 role to the user. This in turn triggers the access policy assigned to the role and then provision or deny the resources mentioned in the access policy.
This chapter describes how to create and use access policies for users and resources in Oracle Identity Manager. It contains the following sections:
This section describes the various features offered by the policy engine in the following sections:
Whenever an access policy is applied, provisioning of resources can take place in any one of the following ways:
The resources are either directly provisioned to the user without any request being generated.
A request is created, and provisioning of resources is subject to request approval.
Using the Administrative and User Console, you can specify whether you want to create the access policy with request approval or without request approval.
In an access policy with request:
The default process form for access policy is supported. This means that the data entered for default process form while creating access policy is used to populate request dataset.
Mandatory fields of request dataset must be populated by one of the following:
Process form defaults of access policy while defining access policy: This is because process form access policy defaults are used to populate corresponding request dataset.
Prepopulate adapters defined for request dataset.
Default data in the request dataset.
Access policy-based request is not created if all mandatory fields of request dataset are not populated by any one of process form defaults, prepopulate adapters, or default data in request dataset.
If request has already been created for a user for a specific resource and it is NOT in one of the following status, then new request is not created for the same user and resource combination:
Request Closed
Request Completed
Request Withdrawn
Request Failed
Template Approval Rejected
Request Approval Rejected
Operation Approval Rejected
Oracle Identity Manager access policies are not applied to subroles. Policies are only applied to direct-membership users (that is, users who are not in subroles) in the roles that are defined on the access policies. You can specify if a resource in a policy must be revoked when the policy no longer applies. If you do so, then these resources are automatically revoked from the users by Oracle Identity Manager when the policy no longer applies to the users.
While creating an access policy, you can select resources to be denied along with resources to be provisioned for roles. If you first select a resource for provisioning and then select the same resource to be denied, then Oracle Identity Manager removes the resource from the list of resources to be provisioned. If two policies are defined for a role in which one is defined to provision a resource and the other is defined to deny the resource, then Oracle Identity Manager does not provision the resource irrespective of the priority of the policies.
In Oracle Identity Manager, access policies can be evaluated in the following scenarios:
When a user is made a part of a role or removed from a role
The policy for the user is evaluated as part of the add or remove operation.
If the retrofit flag is set for the policy
These evaluations do not happen immediately after the action. Instead, they happen during the next run of the Evaluate User Policies schedule task. The evaluations can happen in the following scenarios:
Policy definition is updated so that the retrofit flag is set to ON. Policies are evaluated for all applicable users.
A role is added or removed from the policy definition. Policies are evaluated only for roles that is added or removed.
A resource is added, removed, or the Revoke If No Longer Applies flag value is changed for the resource. Policies are evaluated for all applicable users.
When policy data is updated or deleted. This includes both parent and child form data. Policies are evaluated for all applicable users.
Policy priority is a numeric field containing a number that is unique for each access policy you create. The lower the number, the higher is the priority of the access policy. For example, if you specify Priority =1, it means that the policy has the highest priority. When you define access policies through Oracle Identity Manager Administrative and User Console, the value 1 is always added to the value of the current lowest priority and the resultant value is automatically populated in the Priority field. Changing this value to a different number might result in readjusting the priority of all the other access policies, thus ensuring that the priorities remain consistent. The following actions are associated with the priority number:
If the priority number entered is less than 1, then Oracle Identity Manager will change the value to 1 (highest priority).
If the priority number entered is greater than M, in which M is the current lowest priority, then Oracle Identity Manager will specify the value as less than or equal to M+1.
Two access policies cannot have the same priority number. Therefore, assigning an already existing priority number to an access policy will lower the priority by 1 for all policies of lesser priority.
Conflicts can arise from multiple access policies being applied to the same user. Because a single instance of a resource is provisioned to the user through access policies, Oracle Identity Manager uses the highest priority policy data for a parent form. For child forms, Oracle Identity Manager uses cumulative records from all applicable policies.
There are multiple ways in which process form data is supplied for resources during provisioning. The following is the order of preference built into Oracle Identity Manager:
Default values from the form definition
Organization defaults
Values obtained through data flow from dataset to process form
Prepopulate adapters
Access policy data if resource is provisioned because of a policy
Data updated by Process Task or Entity Adapters
If a given option is available, then the rest of the options that are at a lower order of preference are overridden. For example, if Option 4 is available, then Options 3, 2, and 1 are ignored.
In earlier releases of Oracle Identity Manager, access policies can be used to manage only a single account for a resource object. If there are multiple target systems for a resource object, then access policies can be used to manage only a single account in a single target system.
A target system, such as UNIX server, Active Directory (AD) server, database, SAP, or JD Edwards, is the external system to Oracle Identity Manager that must be provisioned to users in Oracle Identity Manager. The target system is represented by an entity called resource in Oracle Identity Manager. The server on which target system is installed is represented by IT resource in Oracle Identity Manager. And the login credentials provided to user accessing this target system is represented by an account in Oracle Identity Manager. A user can have multiple accounts on a single target system. For example, one account can be a service (administrator) account and another a regular account. Therefore, it is mandatory to have two accounts for a same user in a single target system. In addition, it is possible to have different instances of target system, such as multiple UNIX servers, database servers, and AD servers. As a result, it is required to create accounts on each instance of the target system for the same user.
In Oracle Identity Manager 11g Release 1 (11.1.1), access policies can provision multiple accounts in the same target system as well as a single account in multiple instance of the same target system. While evaluating access policies and provisioning resources to user, Oracle Identity Manager checks if the resource has already been provisioned to the user or not. This is determined by checking the resource key (OBJ_KEY) of the resource provisioned to user. To have multiple instances to be provisioned through access policy, another criteria called account discriminator along with OBJ_KEY is required to distinguish the multiple instances of the same resource. Therefore, access policy checks the resource key as well as account discriminator to decide if the resource has been provisioned or not.
The account discriminator is a field on a process form (account data) that distinguishes two accounts of the same user, which can be present on the same target system or different target systems. For example:
If user Jane.Doe is to be provisioned two accounts on two different UNIX servers, then IT resource can be used as account discriminator.
If user John.Doe is to be provisioned two accounts on the same database instance, then distinct login IDs can be used as account discriminator.
By default, Oracle Identity Manager does not support multiple account provisioning. To enable multiple account provisioning, you must set the value of the XL.AllowAPBasedMultipleAccountProvisioning system property to TRUE. For information about this system property, see "Predefined System Properties" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
If there are multiple resources that need to be provisioned because of access policy evaluation, a single bulk request is created. The bulk request requires a single request-level approval, but multiple operation-level approvals for which approver can approve each request individually at operation level.
See Also:
"Bulk Requests and Child Requests" for information about bulk requests
"19.5.2 Approval Levels" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for information about various levels of request approval
"Provisioning Multiple Instances of a Resource Object To Multiple Target Systems" for the steps to provision data from multiple target systems
You can define an access policy for provisioning resources to users who have roles defined in the policy by using the Access Policy Wizard.
To create an access policy:
Login to the Oracle Identity Manager Administrative and User Console, and navigate to Advanced Administration.
To open the Create Access Policies page, under Policies, click Create Access Policy.
Enter information in the required fields indicated with an asterisk (*), such as access policy name and description.
Note:
The following special characters are not allowed in the access policy name:Semicolon (;)
Hash (#)
Percentage (%)
Equal to (=)
Bar (|)
Plus (+)
Comma (,)
Forward slash (/)
Back slash (\)
Single quote (')
Double quote (")
Less than (<)
Greater than (>)
For the Provision field, select any one of the following options:
Without Approval: Selecting this option creates the access policy without request approval. The resources are directly provisioned to the user without any request being generated.
With Approval: Selecting this option creates the access policy with request approval. On creating the access policy, a request is created, and provisioning of resources is subject to request approval.
Select Retrofit Access Policy to retrofit this access policy when it is created.
Note:
If you select Retrofit Access Policy, then the access policy is applied to all existing roles that you select in Step 13 of this procedure.If you do not select this option, then existing role memberships are not taken into consideration.
Click Continue.
The Create Access Policy - Step 2: Select Resources (to provision) page is displayed.
Specify the resource to be provisioned for this access policy.
Search for resources by using the filter search menu.
Select the name of the resource from the results table, and then click Add.
The names of the desired resources to provision appear in the Selected list. If you want to create an access policy that only denies resources, click Continue without selecting a resource.
To unassign the selected resources, highlight the resource in the Selected list and click Remove.
Click Continue.
If there is a form associated with this resource, the subsequent pages display the required fields. Otherwise, the Create Access Policy - Step 2: Select Resources to Revoke page is displayed. It is recommended that you do not specify policy defaults for passwords and encrypted attributes.
Specify whether or not access policies are to be revoked if they no longer apply.
Select the check boxes for the resources you want to revoke automatically from the results table.
Click Continue.
The Create Access Policy - Step 3: Selected Resources (to deny) page is displayed.
Use this page to select resources to be denied by this access policy.
To select resources to be denied:
Select the resources from the results table.
Click Add to place the resource in the Selected list.
You must select at least one resource to deny if you have not selected any resources to be provisioned. Selecting the same resources to be denied as to be provisioned will automatically unassign them from the resources to be provisioned selection.
Similarly, in Step a, assigning the same resources to be provisioned as you have already selected to be denied will automatically remove them from the resources to be denied selection. You can remove the resources that were selected to be denied. You do this by selecting those resources from the Selected list, and clicking Remove.
Click Continue.
The Create Access Policy - Step 4: Select Roles page is displayed.
Use the Create Access Policy - Step 4: Select Group page to associate a group with the access policy.
To associate a role with this access policy:
Select the role from the results table, and then click Add. You must select at least one role. The names of the selected roles appear in the Selected list.
You can delete the role name by clicking Remove.
Click Continue.
The Create Access Policy - Step 5: Verify Access Policy Information page is displayed.
If you want to modify any of the selections you made in the preceding steps of this procedure, then click Change to go to the corresponding page of the wizard. After making the required modifications, click Continue to return to the Step 5: Verify Access Policy Information page.
Click Create Access Policy to create the access policy.
Note:
When you create an access policy on a resource having a process form with Password field, the password policy is not evaluated. For information about password policies, see Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.You can use Oracle Identity Manager Administrative and User Console to modify information in existing access policies.
To manage access policies:
Click Manage Access Policies under the Policies menu.
The Manage Access Policies page is displayed.
Use the menu in the search criteria field to select an access policy attribute. You can use the asterisk (*) wildcard character to search for all access policy instances that have any value for the attribute selected. Click Search Access Policies.
The Manage Access Policies page is displayed with your search results.
To view the details of the Access Policy you want, click Access Policy Name.
The Access Policy Details page is displayed.
To make modifications to this access policy, use the Change link at the end of each selection category.
After you make the required modifications, click Update Access Policy.
This access policy is updated, and the updated information is displayed on the Access Policy Details page.
To provision multiple instances of a resource object to multiple target systems:
Create an IT resource type by using the IT Resources Type Definition Form in the Oracle Identity Manager Design Console. For information about using this form, see "IT Resources Type Definition Form" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Create multiple IT resource instances of the IT resource type that you created in step 1. For information about creating IT resources, see "Creating IT Resources" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Here, IT resource instance is the account discriminator. See "Provisioning Data From Multiple Target Systems" for information about account discriminator.
Create a process form with a field of type that you created in step 1. For information about creating process forms, see "Developing Process Forms" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Create a resource object. For information about creating a resource object, see "Creating a Resource Object" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Create a process definition, and associate the resource object and process form. For information about creating a process definition, see "Creating a Process Definition" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Create access policies associating a role and resource object. See "Creating Access Policies" for details.
|
 Copyright © 1991, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
