Home‎ > ‎Oracle Identity Manager‎ > ‎Architecture‎ > ‎

Access Policy








PS 3: 
Access Policy

Only direct provisioning is now supported. Request based access policy has been removed...
From ui perspective, AP -> role assignment is done in Role screen and NOT in AP screen.
Access Policy owner has been added but of no use.
As earlier, access policies are not applied to subroles
As earlier, Disable if no longer applies on any applicable policy with same resource object will supersede revoke of the applied policy for same resource object. this setting is stored at time of user creation; any changes to this flag at later time will not impact account that have been created before the change.
As earlier, resource deny takes precedence
Policy Evaluation Process - http://docs.oracle.com/cd/E52734_01/oim/OMADM/accesspolicies.htm#OMADM2255
As earlier, AP Harvesting looks similar
Harvesting is triggered by User-Role Membership bulk loaded/reconciled.
as earlier Multiple account - access policies can provision multiple accounts in the same target system [ each with different access policy] as well as a single account in multiple instance of the same target system - account discriminator along with OBJ_KEY  used to uniquely identify an account for the resource. 
TODO: Documentation still screwed up for this.
Identity Audit Policy (SOD) is not evaluated during access policy
ITResource field cannot be edited on the form once the policy has been created.
AP Troubleshooting:  1563379.1

Forms:
Entitlement forms are supported (Generate Entitlement Forms)- TODO: check if this option was available earlier, Also if Bulk Update selection was available earlier. Entitlement forms are child object with one attribute marked as entilement