16-12 Oracle Fusion Middleware Users Guide for Oracle Identity Manager 5. Create a process definition, and associate the resource object and process form. For information about creating a process definition, see Creating a Process Definition in the Oracle Fusion Middleware Developers Guide for Oracle Identity Manager. 6. Create access policies associating a role and resource object. See Creating Access Policies on page 16-7 for details. When you have two instances of the same resource on different physical server, you can use access policy to provision both the instances of a resource to the same user, JohnD. This is described with the help of the following scenario: You have tow AD instances, one hosted on server with IP as 10.151.14.82 and another hosted on server with IP 130.35.66.254. The user is to be provisioned to both the instances via access policy-based provisioning. To achieve this: 1. Create a AD User resource. 2. Create an IT resource with name ADServer1 that represents the server with IP address as 10.151.14.82. 3. Create an IT resource with name ADServer2 that represents the server with IP address as 130.35.66.254. 4. Mark the AD Server UD_ADUSER_AD process form field as the discriminator field. 5. Create two access policies as follows: ■ For the account to be created on ADServer1: Access policy name: AP3 Associated to role: Role3 Resource to provision: AD User Process form having Discriminator field: AD Server UD_ADUSER_AD Default value for ITResourceLookup field: ADServer1 ■ For the account to be created on ADServer2: Access policy name: AP4 Associated to role: Role4 Resource to provision: AD User Process form having Discriminator field: AD Server UD_ADUSER_AD Default value for ITResourceLookup field: ADServer2 6. Assign Role3 and Role4 to the user JohnD. When Role3 is assigned to JohnD, the account is created in the target system on ADServer1 via the AP3 access policy. When Role4 is assigned to JohnD, the account is created in the target system on ADServer2 via the AP4 access policy. Therefore, two distinct accounts are created for the same user and same resource on two different instances of the target system via access policy.

16.5.4 Limitation of Provisioning Multiple Instances of a Resource via Access Policy

Provisioning multiple instances of a resource via access policy has the following limitations: ■ A single access policy cannot provision multiple instances of a resource to a user. Multiple access policies must be created to provision multiple instances of Managing Access Policies 16-13