Parent Role Access Policy Not Triggered During User Policies Evaluation
(Doc ID 2003137.1)
Last updated on MARCH 13, 2019
Applies to:Identity Manager - Version 220.127.116.11.8 to 18.104.22.168.161018 [Release 11g]
Information in this document applies to any platform.
Scenario: Created two roles with parent-child relationship in OIM with each role having separate access policy to provision different applications. When the child role is given to the user, the user gets parent role membership automatically but parent role access policy is not triggered (or applied) to the user during the user policies evaluation.
Steps to reproduce the issue :
1- Create the child role TEST_CHILD_ROLE
2- Create the parent role TEST_PARENT_ROLE
3- Set the role hierarchy : Make TEST_PARENT_ROLE as parent for TEST_CHILD_ROLE, it means that TEST_CHILD_ROLE inherits permissions from the parent role: TEST_PARENT_ROLE.
4- Create an access policy for the child role TEST_CHILD_ROLE, which gives access to target eg: Enterprise LDAP Directory
5- Create an access policy for the parent role TEST_PARENT_ROLE, which gives access to another target eg: Active directory
6- Create a new user and give it the child role. The parent role is automatically given to the user.
7- Run the scheduled job "Evaluate user policies"
8- Only access related to the child role policy are provisioned (Enterprise LDAP Directory) to the user. Parent role access policy is not applied.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!