16-2 Oracle Fusion Middleware Users Guide for Oracle Identity Manager User Principal Name. Forms also contain an attribute of type IT Resource see IT Resource Type on page 16-2 for details. Resources can be marked Allow Multiple, which would multiple instances of a resource to be provisioned to a user or an organization. Account Accounts are actual instances of a resource that are created and provisioned to a user or organization in Oracle Identity Manager. For example, an e-mail account on an Exchange server is an account instance of resource type Exchange. Accounts have specific values for the attributes of the associated form. IT Resource Type IT resource type is a logical entity in Oracle Identity Manager used to model a physical target and all its attributes including but not limited to the connectivity information and the credentials required to connect to the physical computer. For example, IT resource type AD server is used to model an actual AD server. IT Resource Instance These are actual instances of specific IT resource type that represent the actual physical target. They also have specific values for all the attributes of the physical target, such as IP address, port, user name, and password. Two physical AD servers in a deployment are represented by two instances of IT resource type AD Server. Account Discriminator Account discriminator is a collection of attributes on a form that uniquely identify the logical entity on which accounts are created. This term is sometimes loosely referred to as a target. For instance, for an AD server, an account discriminator can be a combination of AD server an attribute of type IT Resource and Organization Name. Typically account discriminators are attributes of type IT Resource. Attributes are marked as account discriminators by setting the Account Discriminator property of a Form field to True.

16.2 Features of Access Policies

This section describes the various features offered by the policy engine in the following sections: ■ Provisioning Options ■ Revoking the Policy ■ Denying a Resource ■ Evaluating Policies ■ Access Policy Priority ■ Access Policy Data ■ Provisioning Multiple Instances of the Same Resource via Access Policy by Using Account Discriminator Managing Access Policies 16-3

16.2.1 Provisioning Options

Whenever an access policy is applied, provisioning of resources can take place in any one of the following ways: ■ The resources are either directly provisioned to the user without any request being generated. ■ A request is created, and provisioning of resources is subject to request approval. Using the Administrative and User Console, you can specify whether you want to create the access policy with request approval or without request approval. In an access policy with request: ■ The default process form for access policy is supported. This means that the data entered for default process form while creating access policy is used to populate request dataset. ■ Mandatory fields of request dataset must be populated by one of the following: – Process form defaults of access policy while defining access policy: This is because process form access policy defaults are used to populate corresponding request dataset. – Prepopulate adapters defined for request dataset. – Default data in the request dataset. ■ Access policy-based request is not created if all mandatory fields of request dataset are not populated by any one of process form defaults, prepopulate adapters, or default data in request dataset. ■ If request has already been created for a user for a specific resource and it is NOT in one of the following status, then new request is not created for the same user and resource combination: – Request Closed – Request Completed – Request Withdrawn – Request Failed – Template Approval Rejected – Request Approval Rejected – Operation Approval Rejected

16.2.2 Revoking the Policy

Oracle Identity Manager access policies are not applied to subroles. Policies are only applied to direct-membership users that is, users who are not in subroles in the roles that are defined on the access policies. You can specify if a resource in a policy must be revoked when the policy no longer applies. If you do so, then these resources are automatically revoked from the users by Oracle Identity Manager when the policy no longer applies to the users.

16.2.3 Denying a Resource

While creating an access policy, you can select resources to be denied along with resources to be provisioned for roles. If you first select a resource for provisioning and then select the same resource to be denied, then Oracle Identity Manager removes the