OIM11g: Role Membership Rule Evaluation Not Working On Disabled Identities.

(Doc ID 1452472.1)

Last updated on OCTOBER 10, 2016

Applies to:

Identity Manager - Version and later
Information in this document applies to any platform.
**Checked for Relevance on 25-Oct-2013**


In OIM 11g, it is observed that role membership rule doesn't remove a user from the role if the rule is no longer valid when the user is disabled.

This behavior is best described with the following test case.

1- Create a simple rule from Design Console
2- Create a new role from admin console
3- Assign the membership rule to the new role from admin console
4- Create a new user
5- Change user's attribute so that the attributes values match the rule defined in point 1
6- The Role created in point 3 should then be automatically assigned to the user
7- Disable the user from the User profile (by using xelsysadm account or any user with right privileges). The user should still have the role assigned
8- Update user's attributes so that the rule is not matched anymore. The user is not removed from the role.


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms