The post describes the Access Policy Harvesting feature introduced in the OIM11gR2PS2 release.
What is Access Policy harvesting?
I will explain it by example.
Let's consider organization XYZ has role-based provisioning / de-provisioning mechanism. The organization has multiple target resources the user may get according to his role. The organization decides to have roles and access policies to make it work. But what about the users existing accounts. Yes, we can reconcile those accounts but they will not be linked to the appropriate access policies. As these accounts are not created through access policy they will never get modified through access policy. (Revoke/Disable)
Access policy harvesting feature enables us to link the existing reconciled accounts to access policies.
How to enable Access Policy harvesting?
By default, this feature is disabled in OIM. Here is the procedure to enable access to policy harvesting.
What is Access Policy harvesting?
I will explain it by example.
Let's consider organization XYZ has role-based provisioning / de-provisioning mechanism. The organization has multiple target resources the user may get according to his role. The organization decides to have roles and access policies to make it work. But what about the users existing accounts. Yes, we can reconcile those accounts but they will not be linked to the appropriate access policies. As these accounts are not created through access policy they will never get modified through access policy. (Revoke/Disable)
Access policy harvesting feature enables us to link the existing reconciled accounts to access policies.
How to enable Access Policy harvesting?
By default, this feature is disabled in OIM. Here is the procedure to enable access to policy harvesting.
- Set the values of XL.AllowAPHarvesting and XL.AllowAPBasedMultipleAccountProvisioning system properties to TRUE.
- Set retrofit flag to YES for all applicable access policies who's accounts needs to be linked.
- Populate IT Resource field in access policy by default.
- Identify a field on process form as the discriminator and set Account Discriminator property to True. Populate access policy by default for account discriminator field also. (If you want to provision multiple instances of the same resource then identify unique field which distinguishes two resource instances and make it discriminator field otherwise make IT Resource as discriminator field)
How to link the reconciled accounts using Access Policy Harvesting?
Now make sure below sequence must be followed to link the account via harvesting.- Reconcile all accounts for the user(s) which are part of access policy and make sure all accounts get linked to the user(s).
- Run 'Evaluate User Policies' job.
- Use the below query to check if harvesting is done or not.
You can verify the OIU_PROV_MECHANISM='AP HARVESTED' and OIU.POL_KEY has been populated with some integer value.
Please see the below result.
In the above result, the only 1st account was reconciled another account is provisioned through access policy. So the account got successfully harvested using access policy harvesting.