The simpler functions used to control user life cycle in Oracle Identity Manager 11g, like start and end date, are also some of the most useful.
Using Start Date
During user creation, OIM evaluates the “Start Date” attribute. If the attribute is set to the current day or before (or left blank), the user is created in OIM. An event handler evaluates the start date, and OIM sets the account as Active. It is then provisioned all target accounts once the Evaluate User Policies scheduled job is run, based on configured access policies.
When a user is created in OIM with a start date set to the current date or earlier, the event handler evaluates start date and OIM immediately creates a user and sets the active state. Access policies still run via Evaluate User Policies scheduled job to provision target accounts.
When creating a user with a start date set in the future, OIM will create the user in a “Disabled until start date” state and provision all target accounts (determined by access policy) and then set them to a disabled state.
Once the start date is reached, the “Enable User After Start Date” evaluates the Start Date attribute, and enables all users whose start date has passed at the time the job is run. This sets the user’s state to Active, and enables all disabled accounts provisioned by OIM.
The advantage here is that all the accounts exist before the new hire has started, and can still be modified during this time. This eliminates the all too common headache surrounding an employee’s first day when they often discover that none of their accounts or access are working properly.
Using End Date
Similarly, using the “End Date” attribute to control termination automates the process and ensures that account closures don’t get lost in the shuffle.
The “Disable/Delete User After End Date” scheduled job sets evaluates the End Date attribute, and either disables or deletes (by default, OIM is set to delete users) all users whose end date is before the current date at the time that the job is run. All accounts provisioned to the user will then be placed in either disabled or revoked state, depending on the configuration of the scheduled job.
If a buffer period is desired between termination and deleting the user, the “Period to Delay User Delete” system property can be set to specify a length of time to delay deletion. The “value” field specifies the number of days to delay. If this is set to a value other than 0, the user will be placed in a disabled state, and the “Delayed Delete User” scheduled job will evaluate which users need to be deleted. It is important to note that the “Delayed Delete User” must be enabled for this to work.
Important Note Regarding Scheduling Jobs
The schedules for “Enable User After Start Date”, “Disable/Delete User After End Date”, and “Delayed Delete User” are controlled by the OIM administrator. Oracle’s recommendation is to run the “Disable/Delete User After End Date” job every 30-60 minutes, though this is often set to run once per day at a specified time. The attributes will NOT get evaluated until the scheduled job runs. Without custom configuration, start and end date attributes have a value of 00:00:00 on the specified day.
If, for instance, the jobs are set to run every day at 12:00:00 PM, the start and end date will be evaluated and acted upon in the middle of normal business hours. If the schedule is set to run in the evening, the attribute will be evaluated AFTER normal business hours on the date specified in the start date attribute. Make sure the schedule for these jobs are consistent with start and end date policies. For more information on Oracle 11G job scheduling.