Identity And Access Management - Rajiv Dewan

Disconnected Application Duplicate Task Getting Assigned

Few months back, I was working with Disconnected Applications and came across another issue where same task is getting assigned multiple times to Help Desk team for manual action.
In case of RBAC, if last role is removed then Access Policy disable or revoke the application so in my case it was configured to Disable the application.

If user request for any role again for the same application then Access Policy creates two tasks for Help Desk Team "Enable Application" and "Grant Entitlement". If Help Desk team, doesn't take any action on these two tasks for 4-5 days and during this time end user requests for another role for the same application then OIM Access Policy creates another "Enable Application" task for the same application.

I have seen this Duplicate Tasks issue for many scenarios.

Multiple Design Console Installations

It is obvious to have multiple OIM environments for any client like Dev, QA, Pre Prod & Production and we need Design Consoles for all these environments. Generally what we do, we install one Design Console and make changes to xlconfig.xml under Config folder to connect to different environments OR we make copy of Design Console folders.

I thought to use the same client for multiple environment by creating multiple xlconfig.xml i.e. one for each environment but I found that file name is hard coded in the jar files. Design Console supported jar files always look for xlconfig.xml so what I did:
  • Created different directories for each environment under the same Design Console installation
  • Copied the config folder inside each directory
  • Created multiple xlclient.cmd and pointed to corresponding environment directory

So now I have only one Design Console installation for all the environments. If I have to upgrade my Design Console then I have to do it only once.

For people who don't know, you can pass the username & password from xlclient.cmd itself so no need to type username/password for login (Small thing but useful sometimes it is really necessary :) )

Edit your xlclient.cmd same as below:

com.thortech.xl.client.base.tcAppWindow -server server -user RAJIVDEWAN -password Welcome1

Access Policy Harvesting - Case Sensitive Issue

Access Policy Harvesting - Case Sensitive Issue

Here's another issue with Access Policy Harvesting. I reconciled entitlement (xyz) for a user but in Access Policy we gave entitlement name in different case (Xyz). When we ran the Evalaute User Policy job after role assignment, OIM initiated provisioning for entitlement "Xyz".
Ideally OIM should have done Access Policy Harvesting for that entitlement but it didn't.

So make sure you compare the Access Policy Child form data with reconciled data. You can do the same by comparing POC and Child Form tables. This may give you 100% results if at-least one user is having access to entitlements which are defined in Access Policies.

Access Policy Harvesting - Oracle Identity Manager

Access Policy Harvesting is very common but important feature of Oracle Identity Manager. It is very complicated feature too :) In the last deployment we faced some weird issue with Access Policy Harvesting. In earlier versions of OIM, we used to follow steps mentioned in my other blog post (Click Here)

Details & Workaround:
RBAC solution is implemented for an application. Few roles of that application were already integrated earlier and now application team added few new roles and assigned the membership from the backend.
Now when we reconciled newly added roles and ran Access Policy Harvesting job (Evaluate User Policy) after assignment of OIM Roles, OIM didn't do AP Harvesting for newly added entitlements ONLY for few users.

AP Harvesting worked for few users for same set of entitlement and role but it didn't happen for other users having same role and entitlement. We tried to evaluate the Access Policies multiple times but no luck. On debugging, I found that accounts for such users (for who AP Harvesting didn't happen) were created by OIM through Provisioning Mechanism and that's why OIM was skipping those accounts while evaluating access policies. 
I had to change the Provisioning Mechanism of such account to "AP Harvested" from the database and evaluate the access policies again AND everything worked like a charm. :)

OIM Connectors: Office 365, ServiceNow, RestAPI, SalesForce

Oracle has released few new connectors for Oracle Identity Manager:

  • Office 365
  •  ServiceNow
  •  Generic REST 
  • SalesForce 
  • BOX
  • Webex
  •  Generic SCIM
  • Fusion Apps
  • Concur
  • Generic Script
  • Identity Cloud

These connectors can be downloaded from below link:


Sample Code: OIM API Code for Provision Application Instance

Here is the sample OIM API code for submitting request for Provision Application Instance:

public void submitProvisionRequest(RequestService requestService) throws InvalidRequestException, InvalidRequestDataException, RequestServiceException, BulkBeneficiariesAddException, BulkEntitiesAddException{
        String beneficiaryKey = "141";
        String applicationInstanceName = "ActiveDirectory";
        String applicationInstanceKey = "14";
        RequestData requestData = new RequestData();
        Beneficiary beneficiary = new Beneficiary();

        RequestBeneficiaryEntity requestEntity = new RequestBeneficiaryEntity();

        List targetEntities = new ArrayList();


        List beneficiaries = new ArrayList();
        String requestID = requestService.submitRequest(requestData);
        System.out.println("Request ID :: " + requestID);

OIM - SOA : Value too large for column "WFMESSAGEATTRIBUTE"."STRINGVALUE"

Issue Description:

For every request in OIM, OIM User Interface allows justification of 4000 characters but if you provide justification of 4000 characters, you will see error in the SOA Logs:

ORA-12899: value too large for column "_SOAINFRA"."WFMESSAGEATTRIBUTE"."STRINGVALUE" (actual: 4000, maximum: 2000) 

which means SOA supports justification of maximum of 2000 characters.

Put a solution in OIM UI (can be done in many ways) to restrict users from entering justification of more than 2000 characters.

Disconnected Weird Issue - Deployment Manager Import

Disconnected Applications

Weird issue while migrating disconnected applications from one environment to another environment.


There were two disconnected applications with below names:
  1. RajivDewan
  2. Rajiv

There's no issue while importing first application "RajivDewan" but when you try to import another one "Rajiv" then you will face below issue :

com.thortech.xl.ddm.exception.DDMException: Object specified is invalid.Rajiv [ApplicationInstance]

This error comes at the time of importing application instance when application instance name is a sub-string of existing application instance name.

Do not create application instance with similar names to avoid this issue

  • Change the existing application instance name from the database for time being
  • Import the second application instance
  • Rollback the name of existing (old) application instance

There's a support note on this issue but that doesn't contain the workaround.

OIM Deployment Manager Import DDM Exception Error

Sometimes we see a common error (refer below screenshots) while import the XML through Deployment Manager. On the screen it shows error: "Error encountered while reading the file."

When you see the server logs, you'll find below lines:

DDMException: Version m.n.o is not accepted by DDM Version a.b.c

This error comes due to DDM version mismatch. Error message tells you the DDM version of OIM Server and DDM version of XML. As per screenshot:

OIM Server DDM Version:
XML DDM Version:

To resolve this issue, you can edit the XML file manually and replace the existing DDM version with OIM Server's DDM version. It should look same as below screenshot:

On replacing the DDM version, save the XML file and try to re-import. It should work (always worked for me) ;)

OIM Coding Standard: Do's and Don'ts

I am not an expert but here are few Do's and Don't s based on my experience:


  • Make use of Loggers
  • Use different level of Logger Level based upon data you want to print
  • Each method must have the "Entering" and "Exiting" statements
  • Must print atleast "User Login" in Entering Statement
  • Use organization specific package and class names
  • Maintain minimum jar files
  • Make minimum use of class variables
  • Make minimum OIM API instances or Database Connection
  • Each class and method must have Java Comments
  • Make use of Try/Catch and Throws/Throw for Error Handling
  • Use meaningful names for variables and java class
  • Make use of Lookups, System Properties for storing configurable parameters
  • Close the OIM API Instances and Database at the end of Operation
  • Must print the error message before throw statement and inside catch block


  • Do not hard code anything
  • Do not use System.out.println in Java Code
  • Do not print password in Java Code