Access Policy harvesting for Reconciled Users to work should follow the below steps systematically
Last updated on FEBRUARY 01, 2018
Applies to:Identity Manager - Version 22.214.171.124.0 and later
Information in this document applies to any platform.
I have noticed that when an entitlement is added to a user record via reconciliation then it can only be removed via a direct revocation of the entitlement. The entitlement cannot be removed via a role revocation.
Role 1 - AD group X
Role 2 - AD group Y
User is already a member of AD group Y in AD
1. Assigned role 1 (AD groups was NOT already assigned via reconciliation) – AD group X was added to the user in AD and added to the entitlement list.
2. Removed role 1. – AD group X was removed from the user in AD and from the entitlement list.
3. Assigned role 2 (AD group Y was already assigned via reconciliation) – No change to AD group or entitlement list.
4. Removed role 2 – Failed. AD user is still a member of AD group Y.
It appears as direct provisioned groups are not removed when you remove the role.
This appears to be default behavior.
Is there any way this default behavior can be changed
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms