search cancel

PX Policy Not Always Executing or Intermittently Executing - Run Once

book

Article ID: 257597

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

PX Policy Not Always Executing or Intermittently Executing

Environment

All Identity Manager

Cause

A possible cause is if the PX Policy was configured with the Run Once checkbox enabled on the Profile tab of the PX Policy.

Resolution

The IM user has a well-known attribute called %IDENTITY_POLICY% (i.e.  imIdentityPolicies) which stores a record of each Identity and PX policy applied to the user object. In the case of the PX Policy the value is in the format of PX.RULE.identityEnv;XX;YY where the XX is the UNIQUE_NAME value from PX_POLICY IM objectstore database table that corresponds to the PX Policy name and the YY is the UNIQUE_NAME value from the PX_RULE IM objectstore database table that corresponds to the Action Rule name within that PX Policy.

When a given PX Policy is executed and an Action Rule within the PX Policy is executed the IM user's %IDENTITY_POLICY% value will be updated with a reference to that PX Policy and Action Rule. If the PX Policy was configured with Run Once checkbox enabled then a subsequent attempt to execute the same PX Policy and Action Rule would not execute.

However if a different  Action Rule within that PX Policy was to be executed then it would be and the IM user's %IDENTITY_POLICY% would be updated where PX.RULE.identityEnv;XX;YY would instead be PX.RULE.identityEnv;XX;ZZ where ZZ is the UNIQUE_NAME value from the PX_RULE IM objectstore database table that corresponds to the other Action Rule name within that PX Policy.

If you needed to force the execution of the same PX Policy and Action Rule again then you would need to either not have the PX Policy configured as Run Once or you would need to edit the IM user's %IDENTITY_POLICY% value to not contain that specific PX.RULE.identityEnv;XX;YY reference.

The following documentation link and text describes the Run Once configuration option:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/administrating/policy-xpress/create-a-policy/profile.html

Run Once

Specifies if the policy runs only once. Some policies may need to run every time they meet criteria, and others may need to run only once. This value determines if action rules that have already executed in the past should execute again.
For example, adding an SAP role to a user based on department is an action that should only occur the first time the user matches that department. Alternately, a policy that sets the user's salary level based on title would not be set to run once, to make sure that no unauthorized changes take place.

 

Additional Information

In general you should try to use PX Policy of type=UI or of type=Submitted Task when possible and only use PX Policy of type=Event if the use case cannot be achieved with either type=UI or type=Submitted Task.