Disabled Policy is Included in the Identity Audit Scan
(Doc ID 2328212.1)
Last updated on MARCH 20, 2019
Applies to:Identity Manager - Version 22.214.171.124.0 to 126.96.36.199.180620 [Release 11g]
Identity Manager - Version 188.8.131.52.0 to 184.108.40.206.180713 [Release 12c]
Information in this document applies to any platform.
Disabled Identity Audit Policies are being picked up by the scan when the scan definition includes both Disabled and Enabled Identity Audit Policies.
The issue can be seen with the following scenarios:
A User PEDRO is a member of a Role Role1.
There is an Identity Audit Rule RuleForRole1 defined for the Role1 Role.
There is an associated Identity Audit Policy PolicyForRule1ForRole1which uses the RuleForRole1 Rule- and this policy is Disabled.
If a scan is created to include User PEDRO and the disabled Identity Audit Policy Policy ForRule1ForRole1. As expected, the scan run does not report any violations.
Not Working Scenario
There is another User JORDAN who is a member of another Role Role2.
Similar to the previous scenario, there is an Identity Audit Rule RuleForRole2 defined for the Role2 Role and an associated Identity Audit Policy PolicyForRule2ForRole2 which uses the RuleForRole2 Rule. This policy is Enabled.
If you now modify your previous scan definition to include the new policy and user:
The result of the updated scan run will have 2 policy violations.
There is one violation for the User jordan associated with the enabled Identity Audit Policy PolicyForRule2ForRole2 - which is expected. But there is also a violation for the User pedro associated with the disabled Identity Audit Policy PolicyForRule1ForRole1 - which is incorrect.
A Scan definition includes a mix of disabled and enabled Identity Audit Policies.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!