16-2 Oracle Fusion Middleware Users Guide for Oracle Identity Manager User Principal Name. Forms also contain an attribute of type IT Resource see IT Resource Type on page 16-2 for details. Resources can be marked Allow Multiple, which would multiple instances of a resource to be provisioned to a user or an organization. Account Accounts are actual instances of a resource that are created and provisioned to a user or organization in Oracle Identity Manager. For example, an e-mail account on an Exchange server is an account instance of resource type Exchange. Accounts have specific values for the attributes of the associated form. IT Resource Type IT resource type is a logical entity in Oracle Identity Manager used to model a physical target and all its attributes including but not limited to the connectivity information and the credentials required to connect to the physical computer. For example, IT resource type AD server is used to model an actual AD server. IT Resource Instance These are actual instances of specific IT resource type that represent the actual physical target. They also have specific values for all the attributes of the physical target, such as IP address, port, user name, and password. Two physical AD servers in a deployment are represented by two instances of IT resource type AD Server. Account Discriminator Account discriminator is a collection of attributes on a form that uniquely identify the logical entity on which accounts are created. This term is sometimes loosely referred to as a target. For instance, for an AD server, an account discriminator can be a combination of AD server an attribute of type IT Resource and Organization Name. Typically account discriminators are attributes of type IT Resource. Attributes are marked as account discriminators by setting the Account Discriminator property of a Form field to True.

16.2 Features of Access Policies

This section describes the various features offered by the policy engine in the following sections: ■ Provisioning Options ■ Revoking the Policy ■ Denying a Resource ■ Evaluating Policies ■ Access Policy Priority ■ Access Policy Data ■ Provisioning Multiple Instances of the Same Resource via Access Policy by Using Account Discriminator