Access Policy Harvesting - Unable To Revoke Entitlements (Doc ID 2015683.1)

Last updated on NOVEMBER 01, 2016

Applies to:

Identity Manager - Version 11.1.2.2.1 and later
Information in this document applies to any platform.

Goal

Scenario: Have accounts and entitlements reconciled in to OIM from Target systems and are in the process of implementing Roles and Access policies to provision access to these target systems. The new roles will include access which has already been provisioned to the accounts and is maintained in OIM as reconciled entitlements. Have enabled Access policy harvesting , but observe that revocation of Role does not revoke the underlying entitlements.

Note: Roles & access policies are being used to provision entitlement level access and not accounts to targets.

Example:
User 1-> Account 1 -> Entitlement 1 and Entitlement 2 ( both entitlements reconciled in to OIM from Target)

Role 1-> Access Policy 1-> Entitlement 1 and Entitlement 2

Role 1 is provisioned to User1 , and see that there is no net change in entitlements , which is as expected.
Role 1 is now removed from User 1  and observe that the Entitlements 1 and 2 are not revoked, which is the issue.
 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms