Admin User Unable to Delete Users from Role
Last updated on NOVEMBER 02, 2016
Applies to:Identity Manager - Version 22.214.171.124.0 and later
Information in this document applies to any platform.
Admin user manager001 belonging to admin role AdminRole001 with capabilities:
. Grant Role Memberships
. Revoke Role Memberships
. Role Modify
. Role View/Search
is unable to revoke user user001 from a role Role001 when he/she also belongs to that role.
If he /she does not belong to role Role001 the revoke executes properly.
The following exception is thrown when the issue reproduces:
[oracle.iam.identity.rolemgmt.utils] [tid: [ACTIVE].ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: manager001] [ecid: 1de68f20db7a8430:-7895ee13:154e88e204f:-8000-0000000000000c0f,0]
[APP: oim#126.96.36.199.0] [DSID: 0000LJdJhx35Mef_TX0Fyc1NHSOh00000X] The operation on Role entity failed in the post-processing stage.[[ oracle.iam.platform.kernel.ValidationFailedException: IAM-3056217:Role was updated
successfully, but not all memberships were updated: An exception occurred while revoking role AdminRole001 from users [user001]:
oracle.iam.identity.exception.AccessDeniedException: IAM-3054101:The logged-in user 7 does not have deleteRoleMemberships permission on Role AdminRole001 entity.:7:deleteRoleMemberships:Role: AdminRole001
:An exception occurred while revoking role AdminRole001 from users [user001]: oracle.iam.identity.exception.AccessDeniedException:
IAM-3054101:The logged-in user 7 does not have deleteRoleMemberships permission on Role AdminRole001 entity.:7:deleteRoleMemberships:Role:AdminRole001
Note: capabilities Grant Role Memberships and Revoke Role Memberships are provided by fix 22664253
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms