My Oracle Support Banner

Disabled Policy is Included in the Identity Audit Scan (Doc ID 2328212.1)

Last updated on MARCH 20, 2019

Applies to:

Identity Manager - Version 11.1.2.3.0 to 11.1.2.3.180620 [Release 11g]
Identity Manager - Version 12.2.1.3.0 to 12.2.1.3.180713 [Release 12c]
Information in this document applies to any platform.

Symptoms

Disabled Identity Audit Policies are being picked up by the scan when the scan definition includes both Disabled and Enabled Identity Audit Policies.
The issue can be seen with the following scenarios:

Working Scenario

A User PEDRO is a member of a Role Role1.

There is an Identity Audit Rule RuleForRole1 defined for the Role1 Role.

There is an associated Identity Audit Policy PolicyForRule1ForRole1which uses the RuleForRole1 Rule- and this policy is Disabled.

If a scan is created to include User PEDRO and the disabled Identity Audit Policy Policy ForRule1ForRole1. As expected, the scan run does not report any violations.

Not Working Scenario

There is another User JORDAN who is a member of another Role Role2.

Similar to the previous scenario, there is an Identity Audit Rule RuleForRole2 defined for the Role2 Role and an associated Identity Audit Policy PolicyForRule2ForRole2 which uses the RuleForRole2 Rule. This policy is Enabled.

 

If you now modify your previous scan definition to include the new policy and user:

The result of the updated scan run will have 2 policy violations.

There is one violation for the User jordan associated with the enabled Identity Audit Policy PolicyForRule2ForRole2 - which is expected. But there is also a violation for the User pedro associated with the disabled Identity Audit Policy PolicyForRule1ForRole1 - which is incorrect.

NOTE: In the above scenarios, the Users, Rules and Policies represent a fictitious example. Any similarity to actual persons or organizations, is purely coincidental and not intended in any manner.

Changes

A Scan definition includes a mix of disabled and enabled Identity Audit Policies.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.