Resource Status When Multiple Access Policies Having RNLA and DNLA (Doc ID 2180851.1)

Last updated on SEPTEMBER 15, 2016

Applies to:

Identity Manager - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Goal

The following section in the OIM documentation is creating uncertainty of what the status of the resource should be when multiple access policies with RNLA and DNLA for same resource are applied.

1) 5.2.2 Revoking or Disabling the Policy http://docs.oracle.com/cd/E52734_01/oim/OMADM/accesspolicies.htm#OMADM2253

If two policies have the same resource in the policy definition with one having the Revoke if no longer applies option selected and the other one with the Disable if no longer applies option, then the Disable if no longer applies option takes precedence over the Revoke if no longer applies option. In other words, resources are disabled (and not revoked) when policy no longer applies.

2) 5.2.6 Access Policy Priority http://docs.oracle.com/cd/E52734_01/oim/OMADM/accesspolicies.htm#OMADM2256

If there is more than one access policy created for the same resource but granting different sets of entitlements and having different behavior when policy no longer applies, then the access policy with Disable if no longer applies (DLNA) option enabled has the highest priority irrespective of the access policy priorities. For example, if there is an access policy with Revoke if no longer applies (RLNA) option enabled and another policy with DLNA option enabled, then the policy with DLNA option enabled has higher precedence. Irrespective of the order in which the policies are applied, as long as a policy with DLNA option enabled is applied to the user, the account is always disabled when the policy no longer applies.


Reading the last line of the section 5.2.6 Access Policy Priority highlighted above and the Section 5.2.2 Revoking or Disabling the Policy, it looks like that when just the Access Policy with DNLA no longer applies the resource should move to "Disabled" status. But that is not happening and the resource stays in Provisioned status.

 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms