Recon Should Not Enable Accounts Disabled By Access Pol
(Doc ID 2328356.1)
Last updated on MAY 12, 2023
Applies to:
Identity Manager - Version 11.1.2.3.170418 and laterInformation in this document applies to any platform.
Goal
When a account which was provisioned in OIM via an access policy gets disabled due to user getting disabled, the target recon should not enable the account and also push the disable status back to the target.
Usecase/Steps:
1) Role1 -> Access Pol1 (AP1) -> Account1
2) Role2 -> Access Pol2 (AP1) -> Account2
Steps:
User gets the Role1
Evaluate User Policies job is run and user get the Account1 provisioned.
User gets Disabled in OIM, the Account1 is also Disabled.
In the target, the user Account1 is Enabled.
Target Recon is Run, which creates a recon event and updates the Account1 to Enabled status
But the Account1 remains on Enabled status. The Account1 should go back to Disabled because for disabled users the account should be disabled and also
the disabled status should be pushed to the target to make the account disabled in target as well to status are in sync.
Why is that User Status in OIM is not disabling the target account?
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |