Hi All,
we have an issue with the access policies evaluation job.
Job is ran manually, parameters at default configuration (no time limit). We are testing three access policies, each linked to a same role and each containing a single resource.
The various resources involved can be provisioned correctly if going the manual way.
The role is assigned automatically with role membership rule. What happens is the following;
1-we create a new user (manually, from xelsysadm)
2-the role is assigned automatically because of the rule
3-we run the job "evaluate access policies"
Now outcome seems to be random:
- sometimes the policies attached to the role are evaluated correctly for a user and the resource are provisioned
- sometimes the policies attached to the role seem not to trigger. Whenever the policies do not trigger, we anyway noticed that in the USER_PROVISIONING_ATTRS table, for the affected users the flags move from POLICY_EVAL_NEEDED=1 and POLICY_EVAL_IN_PROGRESS=0 to POLICY_EVAL_NEEDED=0 and POLICY_EVAL_IN_PROGRESS=1 , but no provisioning takes place at all (meaning no accounts, not even in "Provisioning" status).
- sometimes only some of the policies attached to the role are evaluated.
- we have also tried with one access policy with one resource, linked to a single role, but outcome is equally random.
Furthermore we performed a new test with 100 new users and 4 resource (ldap,webservice and 2 GTC) assigned, the access policies engine starts but it blocked after a random number of users provisioned.
The user provisioned properly have the flags POLICY_EVAL_NEEDED=0 and POLICY_EVAL_IN_PROGRESS=0 but the user blocked had the flags POLICY_EVAL_NEEDED=0 and POLICY_EVAL_IN_PROGRESS=1.
Do you had never this wrong behaviour ?
Best regards,
Francesco