Role Based Provisioning in OIM

Question

I have a project in Identity management for which I am hoping someone can point me in the right direction. It's role-based provisioning, basically I need to know how to provision a specific application based on certain user attributes (e.g. job title, dept) and then to automatically raise a provisioning request for that application. The application is a disconnected application and will be provisioned manually.

What we are trying to achieve is that once a user has been created in OIM and if he or she meets those criteria, the OIM will generate the request for the application so they can be provisioned for them. Is there a way to implement this within OIM?

Answer 1

All you need is a Role with desired membership rule and an Access Policy attached to it. Role and membership rule can be created with OIM Role creation wizard. You can create a policy from admin console and associate your role and resource with it. Do provide default required parent form fields (at least IT Resource).

In case you want to add default entitlements edit the child form and add those.

Answer 2

You can just use the scheme where a role in OIM has a membership rule to automatically grant a user the role if some of user's attribute match specific condition.

Then you can create an Access Policy to provision a disconnected resource and attach it to this created role. Usually disconnected resource provisioning will create a SOA workflow where there is a human task to complete the provisioning operation.