Monday, September 6, 2010

OIM Howto: Target system group memberships through OIM groups and access policies

In OIM there is often multiple ways to implement the same functionality.

One such case is target system group memberships. In Leverage standard connector group management I described how to leverage the functionality provided by the OIM AD connector to manage AD group memberships. You can also use the exact same functionality as well as the OIM rules, groups and access policies framework to manage group memberships.

  1. Create a rule that adds users to an OIM group under certain circumstances (i.e. user location is "New York" or costcenter is 2387)
  2. Add an access policy to that group that provisions the AD user object to the user with the group child form row set to give out the appropriate AD group

You can give a specific user more than one AD group through this strategy as the access policy evaluation engine basically adds the union of all child form rows to the process form of the access policy with the highest priority. Where you do run into trouble is if the same AD group membership is given to the same user by more than one access policy. If this happen the second group membership add will result in an error.

Taking the route over OIM groups and access policies has the advantage of making things clearer for administrators as well as auditors. It makes it possible to use certain out of the box OIM reports that covers OIM group memberships as proxies for AD group membership reports which certainly is helpful in certain situations.


  1. "Where you do run into trouble is if the same AD group membership is given to the same user by more than one access policy. If this happen the second group membership add will result in an error."
    Are you sure of this ? My understanding is that OIM is checking the content of the child form. It will detect that the group already exists and will not execute any provisioning task to AD.
    I'm not sure of the behavior when one of the membership rules is not valid anymore. I would assume that the user will keep its AD group membership though the other AP, but with OIM, it worth checking ...

  2. You are completely right that OIM will detect the fact that the group membership already exists and there will be no provisioning to AD. The issue is that there is another AP that provisions the same group the second AP will generate an OIM task that gets rejected. Not very graceful but in most cases not a huge issue.

    Here is the OTN discussion that spawned the posting: ://

  3. hi Martin.
    what happens when you want to take away a membership from a certain AD group, but not the entire resource/rest of the groups?
    we have a situation where we want to implement AD group membership through OIM groups and access policies (like you mention in your post). However, when a certain user should not longer have the AD group, we would delete the OIM group membership for that user. this would lead to access policy being revoked and entire AD resource be unprovisioned from the user. this is not a good solution for us. any suggestions?

    thank you.

  4. It is possible that you can support this use case in OOTB OIM by the following method.

    1. Create an AP with a very low priority that gives the base AD object without any groups. This AP should be applied to all users.

    2. Create APs with higher priority to implement the group provisioning

    In provisioning the group APs will only impact the AD group childform by addition of extra rows. I would expect that the same thing but in reverse would happen when you remove the OIM group membership.

    If this doesn't work then you would have to build a custom AP engine which is doable but would require some work.

  5. thanks Martin. it worked very well. :)

  6. Hi Martin,
    A very basic question - in OIM, is group membership the trigger for an Access Policy to be applied? Or is there some behind-the-scenes process that enforces the access policy on users who belong to the specific group?
    I have a scenario where Access Policy was applied to a group "A". This was temporarily disabled by changing the Access Policy to apply to a dummy "Unused" group. When in this state, a new user was added to group "A". But when the Access Policy was changed back to apply on group "A", it did not pick up this new user or provision the resources. Is this the expected behavior? (I do have "Retrofit Access Policy" set to yes).
    Thanks you.

  7. Try running the scheduled tasks "Set User Provisioned Date" and "Evaluate User Policies".

    Otherwise just move the users out of the group and move them back in again.

  8. Fannie Mae is looking for Production people with OIM experience.

    Location: Reston VA
    Rate: 65/Hr on W2

    This position will provide 24/7 coverage for Oracle Identity Management and Oracle Identity Analytics product suite. The position will support java based identity access work flow application running on Linux and Window servers.
    The position will support Weblogic middleware application cluster server configuration. Knowledge of Linux/Unix command and script is expected. Extensive knowledge of Oracle Database and SQL query is required to support the java based application.

    100% production support role. Needs either past experience in OIM or OIA (both are Java applications) or manager will also consider Java developers willing to do production support (100% prod support). Ideally manager wants to hire 2 people. One person should be strong in OIM and the other strong in IOA (also called Sun Role Manager (old name for OIA). If we dont find these people, he will also take strong Java developers for these roles.

    Thanks and regards,
    Nina Coleman
    Sr. Technical Recruiter
    Technology Ventures
    703-945-1758 (work)

    We offer a $1000 referral bonus for every referral of yours we place successfully.

  9. Hi Martin,

    I was wondering where we do map Protected URL vs role mapping ?
    for example I have some ULR need to be protected thru OAM. Now based on url, user should get the screen. I have user and role in OID.
    My Doubt is : Once user it authenticated, how IDM is conforming that user has access to particular URL or not ?
    or is there any way to do so ? Can I map my 50 URL to 50 role and assign this role to user in oracle IDM?

    Any thought appreciated ?

  10. What I would recommend is to create OID roles based on what makes sense from an application standpoint. Example would be an application having a sys admin role, a teller role and a shift manager role.

    Map the URLs to these roles through an OAM policy with an appropriate URL pattern.

    Provision the OID roles through OIM.

  11. Hi Martin,

    I ran into a strange behavior of OIM. I created a role and a membership rule, I was able to preview the result of the rule. But after I saved the rule I was not able to see any members in the list. Could you advise if I'm missing something?