OIM R2 PS2 delivers a long time expected functionality: access policy harvesting. This new feature adds more flexibility to OIM access policies usage.
This is another post in the Oracle Identity Manager Academy from the Fusion Security Blog. for the entire post list click here.
In order to understand what this new feature brings, let us first remind the past: in previous OIM releases it was not possible to associate reconciled accounts to access policies. The impact of this restriction can be described this way: a reconciled account could not be changed or revoked by a configured access policies. Explaining from a different angle: access policies could manage only the accounts initially provisioned through access policies; they could not manage direct provisioned and/or reconciled accounts. The same was true for accounts loaded through the use of the bulkload utility.
Because of this restriction, some OIM customers implemented workarounds like manually modifying OIM database to associate accounts to access policies, and forcefully provision accounts through access policy and, once the provisioning fails, manually complete the provisioning tasks.
The restriction is gone and OIM can now associate reconciled accounts and access policy properly, therefore access policies can now manage accounts that were not provisioned through them. This is a very nice feature, especially because a lot of customers rely on target reconciliation to bring existing user’s accounts into OIM, and the very same is true for bulkloading of accounts.
The following statements are available in OIM release notes:
"Oracle Identity Manager enables you to link the reconciled and bulk loaded accounts to pre-existing access policies by running the 'Evaluate User Policies' scheduled task, and therefore, such reconciled and bulk loaded accounts can be managed via access policies. The linking of access policies to reconciled or bulk loaded accounts is also referred to as access policy harvesting.
Only reconciled and bulk loaded accounts are linked with access policy, which means that the direct or request-based provisioned accounts are not considered for access policy harvesting."
It is important to pay attention to the second statement in the excerpt above: only reconciled accounts are considered for access policy harvesting.
There are a few required configuration steps in order to enable access policy harvesting, such steps are documented here.