My Oracle Support Banner

No SoD Check When Separate Request Created for Each Role (Doc ID 2110467.1)

Last updated on MAY 06, 2019

Applies to:

Identity Manager - Version 11.1.2.3.0 to 12.2.1.3.0 [Release 11g to 12c]
Information in this document applies to any platform.

Goal

Let's consider a SoD rule that prevents a user to have roles A and B at the same time. When trying to give the 2 roles to a user at the same time, the SoD check is properly triggered. However, have found following scenarios where the SoD check should take place but does not.

Scenario 1:

1. Go to the user's roles screen
2. Create a request to give role A
3. Create a request to give role B
4. As an admin (or approver) approve the request to grant role A
5. As an admin (or approver) approve the request to grant role B

This scenario never triggers the SoD check. One assumes that there should be an SoD warning in step 5 before the admin grand role B.

Scenario 2:

1. Go to role A's members page
2. Create a request to add user 1 to role A
3. As an admin (or approver) approve the request to grant role A
4. Go to role B's member page
5. Create a request to add user 1 to role B
6. As an admin (or approver) approve the request to grant role A

Again, no SoD check is performed. One assumes that there should be an SoD warning in step 5 when creating the request to grant role B to the user.

Is there a way to configure the SoD so it checks role memberships, no matter how the roles are assigned?
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.