I have developed this post to elaborate on the steps and include the missing steps in order to complete the remediation steps.

Before I dive in, it's work noting that this effort is for Open-loop remediation, which oracle Manual Closed-loop remediation (which is wrong). The concept of closed-loop remediation is to ensure that the total effort is conditioned on the previous step though without any dependent effort included. In other words, the manager would revoke access, push that request to the provisioning server (OIM) and automatically de-provision that access, then notify OIA on the completed task, thus completing the effort autonomously and streamlined.

The concept and intended goal with Open-loop is similar to Closed-Loop though the difference is that Open-loop has dependencies upon the complete task. An example would be for a manager to revoke access, though a business analyst would create a separate reports for the application owner or the help desk to revoke the access.

In OIA's example that's provided, 'manual Closed-loop remediation' is actually open-loop remediation.

The task here is to manually configure the WEB-INF config files in order for OIA to check if it's required to do any remediation checking. These files are called Scheduling-context.xml and Jobs.xml, which can be located within the deployed OIA WEB-INF directory.

The common task here are as follows:

• import a full application data feed (inc. accounts and attribute)
• Create a certification
• Manager completes the certification with also includes the revoke access
• The OIA engineer runs the reports for application owners on any revoke access
• Application Owner revokes access
• Import a new application data feed (inc. all the revoke changes made by the application owner)
• OIA sees the remediated effort has taken place, then updated the remediation status

The task here is to import the attributes via a flat file feed, complete the certification, then import a new feed with the remediated effort within the data file

In this example, the manager is going to revoke the access 'AdminAccess' associated to the user 'DR12345' account.

The original data file
name,RoleAccess,domain,endpoint,summaryRisk
DR12345,AdminAccess,Example,Example,1


The final data file
name,RoleAccess,domain,endpoint,summaryRisk
DR12345,,Example,Example,1

Note: you can see that the account no longer has the attribute value 'AdminAccess' in the final data file

Take a backup of the scheduling-context.xml and jobs.xml

line 183

<ref bean="certificationRemediationJob"/>

line 223

<ref bean="certificationRemediationTrigger"/>

Within line 942, change the value to, 0 0/1 * * * ?

<bean id="certificationRemediationTrigger" class="org.springframework.scheduling.quartz.CronTriggerBean">
<property name="jobDetail">
<ref bean="certificationRemediationJob"/>
</property>
<property name="cronExpression">
<value>0 0/1 * * * ?</value>
</property>
</bean>

Bounce the application server in order for the changes to take effect

Next, log into OIA, click Identity Warehouse, Resources, (select the application) and click the Remediation tab.

To ensure OIA performs the remediation, Click on the Administration tab, settings, Identity Certification and scroll to the bottom to the Remediation section

Now proceed with the following tasks as mentioned above and you should now be able to see the remediation take place.

About the author