Authorization Policy Merge Issue

Oracle Identity Manager 11.1.2.3.0 has two Oracle Platform Security Services (OPSS) application policy stripes namely oim and OracleIdentityManager, whereas Oracle Identity Governance 12.2.1.3 has only one OPSS application policy stripe named oim. The 12c upgrade process handles the merging of application stripes into one along with all the customization, at various phases.

If you encounter any error or issue related to OPSS application policies after upgrade, or if you find the policies in inconsistent state, complete the following steps to restore the OPSS application policies:

The Authorization policy backup for OIM lying in OPSS schema is taken by the 12c pre-upgrade utility. This backup folder is located at oim.outputreportfolder/Auth-Policy-Backup.
oim.outputreportfolder is the name of the pre-upgrade report output folder specified by you in the preupgrade_report_input.properties file when you ran the pre-upgrade utility.
The backup folder contains the following files:
- oim.outputreportfolder/Auth-Policy-Backup/oim.xml — This is for oim application policy stripe of 11.1.2.3.0.
- oim.outputreportfolder/Auth-Policy-Backup/OracleIdentityManager.xml — This is for OracleIdentityManager application policy stripe of 11.1.2.3.0.
Restore these stripes data in OIM database using the following WLST offline commands:
- migrateSecurityStore(type="appPolicies", srcApp="OracleIdentityManager ", configFile="DOMAIN_HOME/config/fmwconfig/jps-config_temp.xml", src="desContextOracle", dst="migrateStripe",overWrite="true")
- migrateSecurityStore(type="appPolicies", srcApp="oim", configFile="DOMAIN_HOME/config/fmwconfig/jps-config_temp.xml", src="desContextOIM", dst="migrateStripe",overWrite="true")
In the above commands, DOMAIN_HOME/config/fmwconfig/jps-config_temp.xml file is a copy of the DOMAIN_HOME/config/fmwconfig/jps-config.xml file. The following service instances and JPS contexts are added in this file:
```
<serviceInstance name="serviceInsOracle" provider="policystore.xml.provider" location="<oim.outputreportfolder>/Auth-Policy-Backup/OracleIdentityManager.xml"/> <serviceInstance name="serviceInsOIM" provider="policystore.xml.provider" location="<oim.outputreportfolder>/Auth-Policy-Backup/oim.xml"/>


<jpsContext name="desContextOracle">
<serviceInstanceRef ref="serviceInsOracle"/>
</jpsContext>
<jpsContext name="desContextOIM">
<serviceInstanceRef ref="serviceInsOIM"/>
</jpsContext>
<jpsContext name="migrateStripe">
<serviceInstanceRef ref="policystore.db"/>
</jpdContext>
```
Migrate the OracleIdentityManager stripe to oim stripe using the following WLST offline command:

migrateSecurityStore(type="appPolicies", srcApp="OracleIdentityManager", dstApp="oim", configFile=DOMAIN_HOME/config/fmwconfig/jps-config_temp.xml, src="migrateStripe", dst="migrateStripe",overWrite="false")
Merge the 12c Out Of The Box application policies on OIM 11.1.2.3.0 application policy stripe named as oim by doing the following:
1. Unzip the ORACLE_HOME/idm/common/templates/wls/oracle.OIM.reconfig.template_1 2.2.1.2.0.jar file to any temporary location. This temporary location is referred to as unzip_location.
2. Verify that the file unzip_location/security/authorization/jazn-data.xml exists.
3. Run the following WLST offline command:
  migrateSecurityStore(type="appPolicies", srcApp="oim", configFile=DOMAIN_HOME/config/fmwconfig/jps-config_temp.xml, src="12c_context", dst="migrateStripe",overWrite="false")
  
  The following service instances and JPS contexts are added in the DOMAIN_HOME/config/fmwconfig/jps-config_temp.xml file:
```
<serviceInstance name="serviceIns12c_context" 
provider="policystore.xml.provide" 
location="unzip_location/security/authorization/jazn-dara.xml"/>
<jpsContext name="12c_context">
<serviceInstanceRef ref="service12c_context"/>
</jpsContext>
```
4. Delete the OracleIdentityManager stripe using the following WLST command:
  deleteAppPolicies(appStripe="OracleIdentityManager")

Parent topic: Troubleshooting the Oracle Identity Manager Upgrade