Policies in OIA and association with Role, Resource Type, Resource

Policies in OIA define account attributes and privileges (entitlements) that users have on different platforms or applications. For example in OIA, if you want to create users in Active Directory including member of a group in AD (assumption is that AD is integrated with provisioning server like OIM and provisioning server is integrated with OIA) then

a) Create a policy with resource Active Directory and select  AD group in Assigned Groups Form
b) Assign this Policy to a Role
c) Assign Role to users that require account (including group membership) in Active Directory

.

Things you must know about POLICIES in OIA

1. Policies are created to a Resource Type (NAMESPACE) and must have a Resource (ENDPOINT) so before creating a Policy you must have resource type and resource defined. More on Resource Type (NAMESPACE) and Resource (ENDPOINT) in OIA here

2. Each Policy can have one or more Resources (ENDPOINT) . Information about Policy and association with Resource (ENDPOINT) is maintained in table ENDPOINT_POLICIES (column policy_id and endpoint_id)

3. Policies are stored in POLICIES table (policykey and namespacekey in policies table link policy to a namespace/resource type)

4. To create a policy in OIA, select Identity Warehouse -> Policies -> New Policy

5. After creating a policy status of policy is composing. You must send Policy for Approval after creating it. (Policies not yet approved are displayed in bottom left menu bar in OIA)

.

6. If you modify a policy in OIA, system automatically creates new version of Policy and stores old/new version in table POLICY_VERSIONS.

7. If you modify a policy in OIA, apart from creating new version of Policy (covered in previous step), new version of policy goes for approval to policy owner. Policy Approval Process is covered in workflows, More on workflows in OIA here

8. Policy may contain 0ne or more Policy Owners, all approvals related to policy changes goes to Policy Owners (If there is no policy owner and you send policy for approval then system automatically approves policy change)

9. Policy Owners are Global Users (and NOT OIA Users), to understand difference between OIA Users and Global Users click here (Users ATUL30 and USER31 you see here are Global Users)

 

 

10. Policy owners are stored in table POLICY_OWNERS (policyid_column and owner_id column link Policy Owner to a OIA Global User)

11. Policies in Oracle Identity Analytics (OIA) correspond to Access Policies” in Oracle Identity Manager (OIM)

12. If OIA is integrated with OIM (as Provisioning Server) (More on OIA integration with OIM here and here) then OIA’s workflow can be used to automatically send changes in Policy from OIA to OIM (More on configuring OIA to export policy changes to OIM here )

Below image shows policies in OIM (created from OIA)

 

13. Policies are assigned to ROLES, and ROLES are assigned to Global Users.

14. Each ROLE in OIA can have zero or more POLICY associated with it.

15. Association between POLICY and ROLE is stored in ROLE_POLICIES table (in rbacxservice schema)

16. You can define Segregation of Duties  (SoD) at policy level (more on SoD between policies here )

17. You can import policies in bulk from a CSV file (create schema file in .rbx format and input file <resource_type_short_name>_<filenumber>_policies and run job import policies) more on importing policies in OIA here

18. Policies can also be associated with Business Structure (Business Unit) and is stored in table BU_POLICIES (More on association of Policy, Role, and Business Structure/Business Unit later)

 

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

4 comments
rigtenzin says February 4, 2013

I don’t understand how a policy owner could be a global user, because global users have no way to approve policy changes. By definition a global user can’t see the OIA console.

Please explain what I am missing.

Reply
    Atul Kumar says February 5, 2013

    @rigtenzin,
    You are right that global user can’t see OIA console so how can they approve Policy. When you define policy and select policy owners, you can only select policy owner from GLobal Users (and not OIA user), you then should either have OIA user (that can login to OIA console) or must create OIA user with same name as global user to approve policy chnages. I hope this explains

    Reply
rigtenzin says February 25, 2013

Thanks for your last answer. My next question is that I can’t get manual remediation completed for a user’s revoked access to a resource. I’ve removed the user’s account from the resource in OIA, but remediation is still 0%. Also, I enabled the certificationRemediationJob and trigger in schedule-context.xml and jobs.xml already.

I must be missing something.

Reply
rigtenzin says February 28, 2013

How do I import users into a role when I have more than 500 users? The roles GUI only allows you to add 500 users.

Reply
Add Your Reply

Not found