Policies in OIA and association with Role, Resource Type, Resource

Policies in OIA define account attributes and privileges (entitlements) that users have on different platforms or applications. For example in OIA, if you want to create users in Active Directory including member of a group in AD (assumption is that AD is integrated with provisioning server like OIM and provisioning server is integrated with OIA) then

a) Create a policy with resource Active Directory and select  AD group in Assigned Groups Form
b) Assign this Policy to a Role
c) Assign Role to users that require account (including group membership) in Active Directory

.

Things you must know about POLICIES in OIA

1. Policies are created to a Resource Type (NAMESPACE) and must have a Resource (ENDPOINT) so before creating a Policy you must have resource type and resource defined. More on Resource Type (NAMESPACE) and Resource (ENDPOINT) in OIA here

2. Each Policy can have one or more Resources (ENDPOINT) . Information about Policy and association with Resource (ENDPOINT) is maintained in table ENDPOINT_POLICIES (column policy_id and endpoint_id)

3. Policies are stored in POLICIES table (policykey and namespacekey in policies table link policy to a namespace/resource type)

4. To create a policy in OIA, select Identity Warehouse -> Policies -> New Policy

5. After creating a policy status of policy is composing. You must send Policy for Approval after creating it. (Policies not yet approved are displayed in bottom left menu bar in OIA)

.

6. If you modify a policy in OIA, system automatically creates new version of Policy and stores old/new version in table POLICY_VERSIONS.

7. If you modify a policy in OIA, apart from creating new version of Policy (covered in previous step), new version of policy goes for approval to policy owner. Policy Approval Process is covered in workflows, More on workflows in OIA here

8. Policy may contain 0ne or more Policy Owners, all approvals related to policy changes goes to Policy Owners (If there is no policy owner and you send policy for approval then system automatically approves policy change)

9. Policy Owners are Global Users (and NOT OIA Users), to understand difference between OIA Users and Global Users click here (Users ATUL30 and USER31 you see here are Global Users)

 

 

10. Policy owners are stored in table POLICY_OWNERS (policyid_column and owner_id column link Policy Owner to a OIA Global User)

11. Policies in Oracle Identity Analytics (OIA) correspond to Access Policies” in Oracle Identity Manager (OIM)

12. If OIA is integrated with OIM (as Provisioning Server) (More on OIA integration with OIM here and here) then OIA’s workflow can be used to automatically send changes in Policy from OIA to OIM (More on configuring OIA to export policy changes to OIM here )

Below image shows policies in OIM (created from OIA)

 

13. Policies are assigned to ROLES, and ROLES are assigned to Global Users.

14. Each ROLE in OIA can have zero or more POLICY associated with it.

15. Association between POLICY and ROLE is stored in ROLE_POLICIES table (in rbacxservice schema)

16. You can define Segregation of Duties  (SoD) at policy level (more on SoD between policies here )

17. You can import policies in bulk from a CSV file (create schema file in .rbx format and input file <resource_type_short_name>_<filenumber>_policies and run job import policies) more on importing policies in OIA here

18. Policies can also be associated with Business Structure (Business Unit) and is stored in table BU_POLICIES (More on association of Policy, Role, and Business Structure/Business Unit later)

 

About the Author Masroof Ahmad

Leave a Comment:

4 comments
Add Your Reply