The [#x] and [*] Discriminator(s) In Identity Audit Rule Expressions Do Not Work As Expected (Doc ID 2248411.1)

Last updated on APRIL 03, 2017

Applies to:

Identity Manager - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Symptoms

Consider the case where you have (for example) multiple instances of an EBS User Management 11g connector - such that the same Entitlements (EBS roles) exist in multiple Application Instances (ie...EBS Site1, EBS Site2, EBS Site3).

You're attempting to develop an SoD policy to detect conflicting sets of Entitlements (EBS roles) within a single Application Instance. For example, any user who has an EBS Entitlement with a display name ending in "PAYABLES" should not have Entitlements containing "AR" within the same Application Instance. However, if the two Entitlements are from two different Application Instances, then a policy violation should not be thrown. For example, a user can have the role "AR~AR Site1 Role" on EBS Site1 and the "SQLAP~ Site2 Payables" role on EBS Site2 and this would NOT be a policy violation.  But if they have both "AR~AR Site3 Role" and "SQLAP~ Site3 Payables" role on EBS Site3, this should throw a violation.

You've found that the discriminator * denotes any while the #x discriminator denotes any specific, so you've created a Rule Expression like appType[Oracle EBS User Management].appInstance[#x].account[*].UD_UM_ROLE[*].Role Name and specified the Role Name in your Rule Expression so that it will match roles containing or ending with a specified string. 

Your Rule is like:

appType[Oracle EBS User Management].appInstance[#x].account[*].UD_UM_ROLE[*].Role Name CONTAINS "AR"

AND
appType[Oracle EBS User Management].appInstance[#x].account[*].UD_UM_ROLE[*].Role Name ENDS WITH "PAYABLES"

When testing, this Rule does not throw a Policy Violation for users having the conflicting roles.

 

In fact, the only time you get any violation is if you use the following Audit Rule Expression, which also throws violations when the specified roles are found within different Application Instances - which is not the case that you wish to enforce.

appType[Oracle EBS User Management].appInstance[*].account[*].UD_UM_ROLE[*].Role Name CONTAINS "AR"

AND
appType[Oracle EBS User Management].appInstance[*].account[*].UD_UM_ROLE[*].Role Name ENDS WITH "PAYABLES"

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms