Friday, October 25, 2019

Getting "IAM-3051005: The organization earch operation failed." Error When Open My Access In OIG Identity Selfservice Console

OIM log the following exception can be found.

<Error> <oracle.iam.identity.orgmgmt.impl> <IAM-3051005> <The organization search operation failed.
oracle.iam.platform.entitymgr.UnknownAttributeException: Organization : [SOME_ORGANIZATION_ATTRIBUTE]
        at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.findEntities(EntityManagerImpl.java:1160)
        at oracle.iam.platform.entitymgr.impl.EntityManagerImpl.findEntities(EntityManagerImpl.java:1070)
        at sun.reflect.GeneratedMethodAccessor1827.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:318)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:183)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:150)
        at oracle.iam.platform.utils.LoggerInterceptor.invoke(LoggerInterceptor.java:55)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.java:37)
        at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)
        at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)
        at com.sun.proxy.$Proxy492.findEntities(Unknown Source)
        at oracle.iam.identity.orgmgmt.impl.OrganizationManagerImpl.performSearch(OrganizationManagerImpl.java:1302)
        at oracle.iam.identity.orgmgmt.impl.OrganizationManagerImpl.search(OrganizationManagerImpl.java:1220)
        at sun.reflect.GeneratedMethodAccessor2088.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)

The root cause of this is related to the missing of UDF attribute reference of the organization object. To verify, check or to address the missing attribute one needs to check the Organization.xml file in MDS
/db/identity/entity-definition/Organization.xml

Each attribute of organization should be present under the following tags.
 
1. Entity attribute

<entity-attributes>
...
<attribute name="SOME_ORGANIZATION_ATTRIBUTE"></attribute>
...
</entity-attributes>

2. Target fields


<target-fields>
...
<field name="org_udf_SOME_ORGANIZATION_ATTRIBUTE"></field>
...
</target-fields> 

3. Mapping

 <attribute-maps>
...
<attribute-map><entity-attribute>SOME_ORGANIZATION_ATTRIBUTE</entity-attribute><target-field>org_udf_SOME_ORGANIZATION_ATTRIBUTE</target-field>
...
</attribute-maps>



Posted by at No comments:

OIM Bulk Load Utilities

Posted by at No comments:

Oracle Identity Governance Access Policies Harvesting and Account Types

There are different types of identity accounts in Oracle Identity Manager or Oracle Identity Governance.
- Bulk-load account
- Direct Provision account
- Request-based account
- Reconciliation account
- Access Policy provision account
 
Access Policies Harvesting is a new feature added to OIM after R2 PS2  release that Access Policies in OIM can manage bulk-loaded and reconciled accounts

 
To enable AP Harvesting in OIM:

·       Set the value of XL.AllowAPHarvesting and XL.AllowAPBasedMultipleAccountProvisioning system properties to TRUE.
·       Set the retrofit flag to ON for the policy to be linked by selecting Retrofit Access Policy.
·       Designate a field on the process form as the discriminator field and set the value of the Account Discriminator property to True.

With above configured, OIM is able link the reconciled and bulk loaded accounts to pre-existing access policies by running the 'Evaluate User Policies' scheduled task, and therefore, such reconciled and bulk loaded accounts can be managed via access policies. This is also referred to as access policy harvesting. 

However, for those directed provisioned and request-based accounts they are still not participated in to AP Harvesting. That means they are not yet managed by access policies within OIM.

There are cases that provision operations (either through direct provision/ request base) taken places prior to Access Policies implementation taking into account. Especially, for production or enterprise system these accounts could be up to thousands prior Access Policies provision mechanism were adapted. These accounts some how need to be addressed so that one can take the advantage of using access policies to manage all the identity accounts in the enterprise.

In order to fully OIM AP harvesting all types of accounts in the system, we would need to Access Policies in OIM to manage both request-based and direct provisioned type accounts as well.  

To achieve this, one should  consider to upgrade to OIG 12c 12.2.1.3.0 where fix of 27599841 is included. If that's not an option then may need to check with oracle for the fix of this bug.
Additionally, there are two other system properties below introduced by the fix should be set to TRUE. 
XL.APHarvestRequestAccount
XL.APHarvestDirectProvisionAccount

 With all these configured then Access Policies in OIM now can fully manage all type of accounts. 





















 
Posted by at No comments:
Subscribe to: Posts (Atom)