OIM Identity Audit Scan (IDA) Issues When OIM User's Have Accounts In "Provisioning" or "Waiting" status

(Doc ID 2317938.1)

Last updated on OCTOBER 22, 2017

Applies to:

Identity Manager - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Symptoms

When an IDA scan is run in OIM against an OIM User candidate list where some users have accounts in either "Provisioning" or "Waiting" status then the IDA results will be incorrect and errors will be seen in the OIM logs.

No message is printed to the UI.

1) IDA against OIM Users with accounts in "Provisioning" status

When OIM users have accounts in "Provisioning" status (ex: pending "System Validation" process task) they do not get picked up in the identity audit scan.  The result of this is that all the OIM User in the IDA batch where one (or more) of the users has an account in "Provisioning" status are silently dropped and no violations are reported for any of the users in the batch.

The following error is seen in the OIM logs when this occurs:

Exception during IDA scan. Run name: <Run_Name>. Thread: IDA Scan level 2 batch number 3 of4[[java.lang.NullPointerException
at oracle.iam.ida.internal.impl.IDAUtil.populateVOWithAccounts(IDAUtil.java:835)
at oracle.iam.ida.internal.impl.ScanRunHelper.evaluatePoliciesForUsers(ScanRunHelper.java:942)
at oracle.iam.ida.internal.impl.ScanRunHelper.scanObjectBatch(ScanRunHelper.java:795)
at oracle.iam.ida.internal.impl.ScanRunRunnable.run(ScanRunRunnable.java:117)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)

2) IDA against OIM Users with accounts in "Waiting" status

Regardless if IDA is setup to scan OIM Users for account violations or not (ex: policy is scanning Roles only), if the OIM User candidate has an account with a "Waiting" status then the following error is seen in the OIM logs but the user is still caught if the non-account violation exists:

An error occurred in oracle.iam.provisioning.impl.ProvisioningServiceInternalImpl/searchAccounts when logged in user xelsysadm performs Search action and the cause of error is oracle.iam.provisioning.exception.ProvisioningRuntimeException: oracle.iam.provisioning.exception.GenericProvisioningException: An error occurred in oracle.iam.provisioning.spi.DOBProvisioningUtil while populating account data and the cause of error is null.[[
at oracle.iam.provisioning.spi.DOBProvisioningMechanism.searchAccounts(DOBProvisioningMechanism.java:1385)
at oracle.iam.provisioning.impl.ProvisioningServiceInternalImpl.searchAccounts(ProvisioningServiceInternalImpl.java:456)
at sun.reflect.GeneratedMethodAccessor5391.invoke(Unknown Source)
...
Caused by: oracle.iam.provisioning.exception.GenericProvisioningException: An error occurred in oracle.iam.provisioning.spi.DOBProvisioningUtil while populating account data and the cause of error is null.
at oracle.iam.provisioning.spi.DOBProvisioningUtil.populateUserAccountListMap(DOBProvisioningUtil.java:1881)
at oracle.iam.provisioning.spi.DOBProvisioningUtil.searchAccounts(DOBProvisioningUtil.java:3974)
at oracle.iam.provisioning.spi.DOBProvisioningMechanism.searchAccounts(DOBProvisioningMechanism.java:1383)
... 67 more
Caused by: com.thortech.xl.orb.dataaccess.tcDataAccessException
at com.thortech.xl.dataaccess.tcDataAccessExceptionUtil.createException(tcDataAccessExceptionUtil.java:81)
at com.thortech.xl.dataaccess.tcDataBase.createException(tcDataBase.java:3209)
at com.thortech.xl.dataaccess.tcDataBase.readPartialPreparedStatement(tcDataBase.java:1411)
at com.thortech.xl.dataaccess.tcDataBase.readPreparedStatement(tcDataBase.java:1190)
at com.thortech.xl.dataobj.PreparedStatementUtil.execute(PreparedStatementUtil.java:355)
at oracle.iam.provisioning.spi.DOBProvisioningUtil.populateUserAccountListMap(DOBProvisioningUtil.java:1728)
... 69 more
Caused by: java.sql.SQLSyntaxErrorException: ORA-00903: invalid table name

at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:462)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:405)
at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:931)
...

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms