SoD Check When Seperate Request Created for Each Role (Doc ID 2110467.1)

Last updated on FEBRUARY 28, 2016

Applies to:

Identity Manager - Version 11.1.2.3.4 and later
Information in this document applies to any platform.

Goal

Let's consider a SoD rule that prevents a user to have roles A and B at the same time. When trying to give the 2 roles to a user at the same time, the SoD check is properly triggered. However, have found following scenarios where the SoD check should take place but does not.

First scenario:

1. Go to the user's roles screen
2. Create a request to give role A
3. Create a request to give role B
4. As an admin (or approver) approve the request to grant role A
5. As an admin (or approver) approve the request to grant role B

This scenario never triggers the SoD check. One assumes that there should be an SoD warning in step 5 before the admin grand role B.

Here is another scenario:

1. Go to role A's members page
2. Create a request to add user 1 to role A
3. As an admin (or approver) approve the request to grant role A
4. Go to role B's member page
5. Create a request to add user 1 to role B
6. As an admin (or approver) approve the request to grant role A

Again, no SoD check is performed. One assumes that there should be an SoD warning in step 5 when creating the request to grant role B to the user.

Are these behavior normal? Is there a way to configure the SoD so it checks role memberships, no matter how the roles are assigned?
 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms