OIM11gR2 Testing Access Policies

When developing and testing access policies, the following guidelines are good advice to follow:

In the Scheduler, typically the Evaluate User Policies scheduled job runs every 10 minutes.

When testing access policies, it is a good idea to click the Disable button so that the job does not run on its schedule.  The job can then be executed using the Run Now button.

When modifying an Access Policy, if the Retrofit Access Policy flag is set to Yes, then every user will be re-evaluated, and if the user fits the policy, that user will have their POLICY_EVAL_NEEDED flag set to 1 in the USER_PROVISIONING_ATTRS table.  If you don't want every single user to be re-evaluated, then after modifying the access policy, execute an update query such as:

UPDATE USR_PROVISIONING_ATTRS SET POLICY_EVAL_NEEDED=0

and then when you are prepared to test a user, use a similar query such as:

UPDATE USR_PROVISIONING_ATTRS SET POLICY_EVAL_NEEDED=1 WHERE USR_KEY=2023

It's a good idea to review and document the user that you chose to test before and after the test.  To execute the access policy logic, just go back and run the Evaluate User Policies scheduled job.

OIM11gR2 finding a list of active plugins

To find a list of plugins in your environment

Log into the OIM schema account for your environment

Execute a SELECT * FROM PLUGINS to view all of the active plugins.

Execute a SELECT * FROM LATEST_PLUGINS to compare.

It is a good practice, when performing active updates to plugins in your development environment, to modify the version number each build, so you have a way to validate that your plugin was picked up by the system.  Another way to do this is to review the diagnostic log for the messages indicating that the plugin has been picked up.

OIM11gR2 finding the event handlers currently deployed

To find the list of event handlers in OIM11gR2

• Log into the OIM Enterprise Manager http://<site>:7001/em
• On the left display, expand the Identity and Access folder and then the OIM folder under that, and then select the oim(11.1.2.0.0) object under the OIM folder.
• On the right display, select the dropdown reading Oracle Identity Manager and release on the System MBean Browser.
• In the folder structure, find under Application Defined MBeans: oracle.iam, and expand the Server: oim_server1 folder.
• Continue expanding the Application: oim and IAMAppDesignMBean folders, to expose the ConfigQueryMBeanName.  Searching on this name may work but may yield multiple results.
• Select the Operations Tab and click on the getEventHandlers operation.
• In the query put the Entity you wish to search on (User for user event handlers) and the operation (Create, Modify, Delete typically) and click Invoke.
• The display will reveal the Stage, Order, Name, Location, and Conditional flag for each event handler.
• System event handlers will typically have their location prefaced by /metadata.
• Registered custom event handlers will typically have their location prefaced by /custom
• Properly constructed plugin handlers will typically have their location prefaced by Plugin:
• Continue documenting the handlers you wish to review and then after modification.