Deleted Entitlements In The Access Policy Are Not Removed In The Target Application

(Doc ID 2302485.1)

Last updated on AUGUST 31, 2017

Applies to:

Identity Manager - Version 11.1.2.3.161018 and later
Information in this document applies to any platform.

Symptoms

Use-Case detail

1. Created Access policy which will provision two roles from EBS
2. Created user and assigned that role to trigger AP and Ran Evaluate user policy
3. User's account got provisioned with two roles in OIM
4. Same can be seen in Target EBS
5. Added one extra role to Access policy
6. Ran Evaluate user policy
7. User got provisioned that newly added role both in OIM and target

And then

8. Removed one role from Access policy
9. Ran Evaluate user policy
10. User got de-provisioned from that role and same can be seen in OIM as well Target
11. Now removed all roles i.e. remaining two roles from Access policy
12. Ran Evaluate user policy
13. This roles are not removed from OIM as well target. This is the issue

Currently OIM does not consider the scenario when the last entitlement of an AP is removed it does not remove that entitlements in OIM (at user level) and also in the target.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms