My Oracle Support Banner

Access Policy Harvesting - Unable To Revoke Entitlements (Doc ID 2015683.1)

Last updated on DECEMBER 27, 2023

Applies to:

Identity Manager - Version 11.1.2.2.0 and later
Information in this document applies to any platform.

Goal

Scenario: Have accounts and entitlements reconciled in to OIM from Target systems and are in the process of implementing Roles and Access policies to provision access to these target systems. The new roles will include access which has already been provisioned to the accounts and is maintained in OIM as reconciled entitlements. Have enabled Access policy harvesting , but observe that revocation of Role does not revoke the underlying entitlements.

Note: Roles & access policies are being used to provision entitlement level access and not accounts to targets.

Example:
User 1-> Account 1 -> Entitlement 1 and Entitlement 2 ( both entitlements reconciled in to OIM from Target)

Role 1-> Access Policy 1-> Entitlement 1 and Entitlement 2

Role 1 is provisioned to User1 , and see that there is no net change in entitlements , which is as expected.
Role 1 is now removed from User 1  and observe that the Entitlements 1 and 2 are not revoked, which is the issue.
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.