My Oracle Support Banner

Changing Between Revoke And Disable If No Longer Applies Does Not Affect Existing Account Provisioned Via the Access Policy (Doc ID 2334394.1)

Last updated on JULY 19, 2021

Applies to:

Identity Manager - Version to [Release 11g to 12c]
Information in this document applies to any platform.



1) Suppose one has an Access Policy having "Revoke If No Longer Applies" (RNLA) and Retrofit selected and attached to a Role.

2) A User was given that role and the Account was provisioned via this Access Policy.

3) Later the Access Policy was edited and "Disable If No Longer Applies" (DNLA) was now selected.

4) Now if the user is removed from that role, upon Access Policy evaluation, the Account is Revoked.

So changing between Revoke And Disable If No Longer Applies does not affect existing accounts. Is this by design?



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.