How to Solve Account Name Inconsistencies in OIM 11gR2
While we all do our best to avoid it, occasionally a situation occurs where a user’s Account Name does not match the actual account name on the target account, or the username. Typically this will occur due to peculiarities in your Oracle Identity Manager configuration. Should you find yourself in this situation (as one of our clients recently did), we’ve documented steps you can take to resolve the inconsistency.
In our example scenario, the user had been created with a misspelled first name: Jnoh Smith instead of John Smith. The account was created, and username generated automatically as SMITHJNO (rather than SMITHJOH).
The user’s accounts were provisioned to Active Directory and Epic with the incorrect username of SMITHJNO. The username was updated in OIM, and provisioned to Active Directory. Due to client requirements, changes made in OIM would not affect the Epic accounts. The client’s Epic team updated the account name on the Epic side, but due the OIM configuration, this meant that the account name on the accounts tab in OIM was still set to SMITHJNO.
In this scenario, there were no modifications we could make in OIM (or the target account) that would change the account name in the accounts tab. The solution was to update the database directly.* It is important to note at this point, that in our configuration, changing this field would have no impact on the Target resource, or affect auditing in any way. In this blog, we’ll walk you through the steps we used to update the account.
Forcing an Update to the Account Name
The value of the Account Name is set by the ORC_TOS_INSTANCE_KEY in the orc table of the database. To validate this, use this query statement (inserting the current OIM user login):
Select usr.usr_login, orc.orc_key, app_instance.app_instance_display_name, orc.orc_tos_instance_key from usr, oiu, ost,orc, obi, obj, app_instance where oiu.usr_key=usr.usr_key and ost.ost_key=oiu.ost_key and oiu.obi_key=obi.obi_key and obi.obj_key=obj.obj_key and app_instance.app_instance_key=oiu.app_instance_key and orc.orc_key=oiu.orc_key and usr.usr_login=‘<current user login>’;
This will provide you with a list of all the accounts and account names associated with that user. Make note of the ORC_KEY for the account name you want to update (we’ll call this ‘value a’).
To update the account name, use this update query:
update orc set ORC_TOS_INSTANCE_KEY=‘<desired account name>’ where ORC_KEY=<value a>;
Refresh the accounts tab for the given user, and you will see the errant value replaced with the desired value.
While making direct database modifications is never the preferred approach, occasionally it is the only option. We hope if you’re in a similar position this documentation will help you along.
*Please note, we do not recommend making direct database modifications except when in critical need and other solutions are not viable (as when these race conditions occur). Directly modifying the database carries inherent risks, and is not supported by Oracle.