Changing Between Revoke And Disable If No Longer Applies Does Not Affect Existing Account Provisioned Via the Access Policy

(Doc ID 2334394.1)

Last updated on NOVEMBER 30, 2017

Applies to:

Identity Manager - Version 11.1.1.3.0 to 12.2.1.3.0 [Release 11g to 12c]
Information in this document applies to any platform.

Goal

Usecase:

1) Suppose one has an Access Policy having "Revoke If No Longer Applies" (RNLA) and Retrofit selected and attached to a Role.

2) A User was given that role and the Account was provisioned via this Access Policy.

3) Later the Access Policy was edited and "Disable If No Longer Applies" (DNLA) was now selected.

4) Now if the user is removed from that role, upon Access Policy evaluation, the Account is Revoked.

So changing between Revoke And Disable If No Longer Applies does not affect existing accounts. Is this by design?

 

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms