Access Policy harvesting for Reconciled Users to work should follow the below steps systematically

(Doc ID 2003107.1)

Last updated on FEBRUARY 01, 2018

Applies to:

Identity Manager - Version and later
Information in this document applies to any platform.


I have noticed that when an entitlement is added to a user record via reconciliation then it can only be removed via a direct revocation of the entitlement. The entitlement cannot be removed via a role revocation.

For example
Role 1 - AD group X
Role 2 - AD group Y
User is already a member of AD group Y in AD

1. Assigned role 1 (AD groups was NOT already assigned via reconciliation) – AD group X was added to the user in AD and added to the entitlement list.
2. Removed role 1. – AD group X was removed from the user in AD and from the entitlement list.
3. Assigned role 2 (AD group Y was already assigned via reconciliation) – No change to AD group or entitlement list.
4. Removed role 2 – Failed. AD user is still a member of AD group Y.

It appears as direct provisioned groups are not removed when you remove the role.

This appears to be default behavior.

Is there any way this default behavior can be changed


Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms