Changing Between Revoke And Disable If No Longer Applies Does Not Affect Existing Account Provisioned Via the Access Policy
Last updated on NOVEMBER 30, 2017
Applies to:Identity Manager - Version 220.127.116.11.0 to 18.104.22.168.0 [Release 11g to 12c]
Information in this document applies to any platform.
1) Suppose one has an Access Policy having "Revoke If No Longer Applies" (RNLA) and Retrofit selected and attached to a Role.
2) A User was given that role and the Account was provisioned via this Access Policy.
3) Later the Access Policy was edited and "Disable If No Longer Applies" (DNLA) was now selected.
4) Now if the user is removed from that role, upon Access Policy evaluation, the Account is Revoked.
So changing between Revoke And Disable If No Longer Applies does not affect existing accounts. Is this by design?
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms