This blog serves as a place for my information security notes.
Wednesday, March 20, 2013
OIA Orphan Accounts
When you import resource accounts from a file that have no corresponding OIA global user, the imported account is an orphan.
By default, OIA creates a report listing the orphaned accounts and does not import those orphaned accounts.
To see if any orphaned accounts exist as a result of an import, go to Adminstration>Import/Export Logs>View Details for the import. Then click the Show Exceptions button. You can export the exceptions also using the Export button. These are OIA CORRELATION ERRORs.
Orphaned accounts can also occur when an OIA global user is deleted and the resource account remain in OIA. These orphaned accounts can be found by choosing Identity Warehouse>Users>Orphaned Accounts. This screen lets you assign the orphaned account to an existing OIA global user if necessary.
Alternatively, OIA can handle orphaned accounts (those with correlation errors) found during imports differently using the following property located in the iam.properties file (../oia/conf/iam.properties): # CORRELATION PARAMETERS # dropOrphanAccounts=true => accounts not correlated are not imported # dropOrphanAccounts=false => accounts not correlated are imported com.vaau.rbacx.iam.correlation.dropOrphanAccounts=true
Set .dropOrphanAccounts to false and restart OIA.
This change causes OIA to import the account with “correlation errors” into the resource account. This account shows up in the Users>Orphaned Accountsscreen and is listed under the resource.
The orphaned accounts are still included in the import exception file. This provides a means to report on the orphans, but it would be nice to find a cleaner way to deliver the orphaned account results to an application support person. If you know of a better way, let me know.