OIM log the following exception can be found.
<Error> <oracle.iam.identity.orgmgmt.impl> <IAM-3051005> <The organization search operation failed.
oracle.iam.platform.entitymgr.UnknownAttributeException: Organization : [SOME_ORGANIZATION_ATTRIBUTE]
at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.findEntities(EntityManagerImpl.java:1160)
at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.findEntities(EntityManagerImpl.java:1070)
at sun.reflect.GeneratedMethodAccessor1827.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:318)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
at oracle.iam.platform.utils.LoggerInterceptor.invoke(LoggerInterceptor.java:55)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:37)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
at com.sun.proxy.$Proxy492.findEntities(Unknown Source)
at oracle.iam.identity.orgmgmt.impl.OrganizationManagerImpl.performSearch(OrganizationManagerImpl.java:1302)
at oracle.iam.identity.orgmgmt.impl.OrganizationManagerImpl.search(OrganizationManagerImpl.java:1220)
at sun.reflect.GeneratedMethodAccessor2088.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
The root cause of this is related to the missing of UDF attribute reference of the organization object. To verify, check or to address the missing attribute one needs to check the Organization.xml file in MDS
/db/identity/entity-definition/Organization.xml
Each attribute of organization should be present under the following tags.
1. Entity attribute
<entity-attributes>
...
<attribute name="SOME_ORGANIZATION_ATTRIBUTE"></attribute>
...
</entity-attributes>
2. Target fields
<target-fields>
...
<field name="org_udf_SOME_ORGANIZATION_ATTRIBUTE"></field>
...
</target-fields>
3. Mapping
<attribute-maps>
...
<attribute-map><entity-attribute>SOME_ORGANIZATION_ATTRIBUTE</entity-attribute><target-field>org_udf_SOME_ORGANIZATION_ATTRIBUTE</target-field>
...
</attribute-maps>
AdLessTube
Friday, October 25, 2019
Oracle Identity Governance Access Policies Harvesting and Account Types
There are different types of identity accounts in Oracle Identity Manager or Oracle Identity Governance.
- Bulk-load account
- Direct Provision account
- Request-based account
- Reconciliation account
- Access Policy provision account
Access Policies Harvesting is a new feature added to OIM after R2 PS2 release that Access Policies in OIM can manage bulk-loaded and reconciled accounts
To enable AP Harvesting in OIM:
- Bulk-load account
- Direct Provision account
- Request-based account
- Reconciliation account
- Access Policy provision account
Access Policies Harvesting is a new feature added to OIM after R2 PS2 release that Access Policies in OIM can manage bulk-loaded and reconciled accounts
To enable AP Harvesting in OIM:
· Set
the value of
XL.AllowAPHarvesting
and XL.AllowAPBasedMultipleAccountProvisioning
system properties to TRUE.
·
Set
the retrofit flag to ON for the policy to be linked by selecting Retrofit
Access Policy.
·
Designate
a field on the process form as the discriminator field and set the value of the
Account Discriminator
property to True.
With above configured, OIM is able link
the reconciled and bulk loaded accounts to pre-existing access policies by
running the 'Evaluate User Policies' scheduled task, and therefore, such
reconciled and bulk loaded accounts can be managed via access policies. This is
also referred to as access policy harvesting.
However, for those directed provisioned
and request-based accounts they are still not participated in to AP Harvesting.
That means they are not yet managed by access policies within OIM.
There are cases that provision operations
(either through direct provision/ request base) taken places prior to Access
Policies implementation taking into account. Especially, for production or
enterprise system these accounts could be up to thousands prior Access Policies
provision mechanism were adapted. These accounts some how need to be addressed
so that one can take the advantage of using access policies to manage all the
identity accounts in the enterprise.
In order to fully OIM AP harvesting all types of accounts in the system, we would need to Access Policies in OIM to manage both request-based and direct provisioned type accounts as well.
To achieve this, one should consider to upgrade to OIG 12c 12.2.1.3.0 where fix of
27599841 is included. If that's not an option then may need to check with oracle for the fix of this bug.
Additionally, there are two other system properties below introduced by the fix should be set to TRUE.
XL.APHarvestRequestAccount
XL.APHarvestDirectProvisionAccount
With all these configured then Access Policies in OIM now can fully manage all type of accounts.
Friday, August 19, 2016
AdLessTube Quick Tips
The motivation of this Adnroid application is to limit the Advertisements
while access YouTube content via other YouTube
clients!
-$-$-$-
Home screen
Select/click on any video will activate the play panel
Key in to search YouTube content
The Trash icon will clear the list
Subscribe to:
Posts (Atom)