General Support Practices for Account Lifecycle Issues in OIM
When in a support role, you may find that accounts, roles, and entitlements may not always provision properly. From time to time, the solution to getting things in order may be on the surface level and staring you right in the face. Here are some basic things to look for that could lead you to solving your problem.
1. Is the user enabled?
If the account is disabled, often times there may be something that could be preventing a successful provision. You may find that a user with an End Date in the past won’t allow any accounts to provision.
2. Is the user locked out?
Aside from preventing regular access, locked out accounts can sometimes put accounts into a different state. Security checks and measures may include some policies to remove certain access to accounts in a locked out state. A user may lose an entitlement or two because of this. Check the resource tasks to see if a “Remove All Groups” or “Remove Group From User” task had run around the same time the account got locked out or disabled.
3. Is the start date in the future?
Start dates can put an account “on hold” until the date arrives. Access and provisioning can be blocked until the Start Date.
4. Logs. Logs. Logs.
This isn’t exactly surface level, but slightly below. If you can pinpoint a time that access was lost, it becomes much easier to see what events triggered at that time, or if an error occurred.
5. Freshen up on access policies and rules for your environment.
It’s always good to understand why something may have happened just by a simple design.
6. Duplicates can create problems.
Check search users to see if there is a naming conflict. It could also be possible that accounts provisioned for duplicate users can be conflicting and preventing access.
7. Retry tasks
Every once in awhile a task will get rejected in an accounts resource history. Sometimes a simple retry will give it the push it needs. Every so often a simple blip happens, like a network outage or a perhaps another feature was disabled at the moment. A retry can be successful if everything is in order. At the very least, if it fails again, it may provide the error message or reason why it didn’t succeed. It will also provide a time stamp to help you search the logs easier.