Parent Role Policies Are Not Triggered During User Policies Evaluation (Doc ID 2003137.1)

Last updated on AUGUST 08, 2017

Applies to:

Identity Manager - Version 11.1.2.1.8 and later
Information in this document applies to any platform.

Goal

Scenario: Created two roles in OIM , defined a hierarchy between them and attached an access policy to each one. But noticed that the parent role access policy is not triggered (not applied) during the user policies evaluation.

Steps to reproduce the issue :

1- Create the child role TEST_CHILD_ROLE

2- Create the parent role TEST_PARENT_ROLE

3- Set the role hierarchy : set TEST_PARENT_ROLE as parent for TEST_CHILD_ROLE, it means that TEST_CHILD_ROLE inherits permissions from the parent role TEST_PARENT_ROLE

4- Created an access policy for the child role TEST_CHILD_ROLE, it allows access to target eg: Enterprise LDAP Directory

5- Created an access policy for the parent role TEST_PARENT_ROLE , it allows access to another target eg:  Active directory

6- Create a new user and affect the child role, the parent role is automatically affected

7- Run the scheduled job "Evaluate user policies"

8- Only access related to the child role policy are provisioned (Enterprise LDAP Directory), parent role access policy is not applied
 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms