My Oracle Support Banner

Deleted Entitlements In The Access Policy Are Not Removed In The Target Application (Doc ID 2302485.1)

Last updated on MARCH 14, 2019

Applies to:

Identity Manager - Version 11.1.2.3.161018 and later
Information in this document applies to any platform.

Symptoms

Use-Case details:

1. Created Access policy attached to an OIM role which will provision two entitlements roles from EBS
2. Created user and assigned that OIM role to trigger AP and Ran Evaluate user policy
3. User's account got provisioned with two entitlements roles in OIM
4. Same can be seen in Target EBS
5. Added one extra entitlement role to Access policy
6. Ran Evaluate user policy
7. User got provisioned that newly added role both in OIM and target

And then

8. Removed one entitlement role from Access policy
9. Ran Evaluate user policy
10. User got de-provisioned from that entitlement role and same can be seen in OIM as well Target
11. Now removed all entitlements roles i.e. remaining two entitlements roles from Access policy
12. Ran Evaluate user policy
13. This roles are not removed from OIM as well target. This is the issue

Currently OIM does not consider the scenario when the last entitlement of an AP is removed it does not remove that entitlements in OIM (at user level) and also in the target.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.