My Oracle Support Banner

Recon Should Not Enable Accounts Disabled By Access Pol (Doc ID 2328356.1)

Last updated on MAY 12, 2023

Applies to:

Identity Manager - Version 11.1.2.3.170418 and later
Information in this document applies to any platform.

Goal

When a account which was provisioned in OIM via an access policy gets disabled due to user getting disabled, the target recon should not enable the account and also push the disable status back to the target.

Usecase/Steps:

1) Role1 -> Access Pol1 (AP1) -> Account1
2) Role2 -> Access Pol2 (AP1) -> Account2

Steps:
User gets the Role1
Evaluate User Policies job is run and user get the Account1 provisioned.
User gets Disabled in OIM, the Account1 is also Disabled.
In the target, the user Account1 is Enabled.
Target Recon is Run, which creates a recon event and updates the Account1 to Enabled status

But the Account1 remains on Enabled status. The Account1 should go back to Disabled because for disabled users the account should be disabled and also
the disabled status should be pushed to the target to make the account disabled in target as well to status are in sync.

Why is that User Status in OIM is not disabling the target account?

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.