Last updated on JUNE 25, 2017
Applies to:Identity Manager - Version 188.8.131.52.4 and later
Information in this document applies to any platform.
Access Policy not enabling the account which was created via recon with disabled status.
Steps to reproduce the issue:
1) Create a user account in OIM, with UID/Login = 'XXX';
2) Directly in AD, create a AD account for the same UID/samAccountName of 'XXX'
3) Make sure the AD account is disabled. You need to do this via AD directly
4) Run the "Active Directory User Target Recon" job and verify that the user now shows a AD Account in "Disabled" state
5) At this point you can verify in UD_ADUSER that the UD_ADUSER.UD_ADUSER_PASSWORD value is null.
6) Now assign the role referenced in the access policy to the user ('AD Provisioning Policy Role' is the name of our specific role)
7) Verify that you have a record in the "user_provisioning_attrs" table, this indicates that a policy evaluation is needed
8) Run the "Evaluate User Policies" job
9) What you expect is that at this point the AD account will get enabled. Instead you get the exception in the logs and no change is made to the AD account. OIM still shows the account to be DISABLED, and the record in the "user_provisioning_attrs" table gets deleted.
This problem only happens if you are trying to enable the account via a access policy. It does not occur if you directly switch to the "Accounts" tab, select the ">>" link and chose to "Enable" the account. This problem also only occurs if you start with a DISABLED AD account.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms