AP Harvesting Not Working For Reconciled Entitlements For Accounts Provisioned By Access Policy

(Doc ID 2314344.1)

Last updated on OCTOBER 04, 2017

Applies to:

Identity Manager - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Symptoms

The Access Policy Harvesting is not working for Reconciled Entitlements For Accounts Provisioned By Access Policy.

Usecase/Steps:

1) Suppose there are 3 roles in oim attached to 3 different access policies provisioning the same resource App1 but different Entitlement:

Role1 attached to AP1 and Ent1 of App1
Role2 attached to AP2 and Ent2 of App1
Role3 attached to AP3 and Ent3 of App1

2) All the Access policies have same IT resource set as default and ITresource is marked as Account Discriminator

3) XL.AllowAPHarvesting and XL.AllowAPBasedMultipleAccountProvisioning are both Set to TRUE

4) User1 gets Role1 and after Evaluate User Policies job is run, the user get App1 with Ent1. The OIU table has OIU_PROV_MECHANISM set as "Access Policy" and ENT_ASSIGN shows ENT_ASSIGN_PROV_MECHANISM as ACCESS POLICY for Ent1.

5) Now assign ENT2 and ENT3 directly to the user in the target and run the user target recon job, which reconciles the ENT2 and ENT3 to same account, and their respective ENT_ASSIGN_PROV_MECHANISM shows as RECONCILIATION. All good so far.

6) Now assign Role2 and Role3 to the User1 and run the Evaluate User Policies job.

The issue: For the user1, in the ENT_ASSIGN table, the ENT_ASSIGN_PROV_MECHANISM still shows as RECONCILIATION for Ent2 and Ent3. As a result when Role2 or Role3 is removed from user1, the Ent2 and Ent3 are still there.



Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms