Changing Between Revoke And Disable If No Longer Applies Does Not Affect Existing Account Provisioned Via the Access Policy
(Doc ID 2334394.1)
Last updated on NOVEMBER 30, 2017
Applies to:Identity Manager - Version 22.214.171.124.0 to 126.96.36.199.0 [Release 11g to 12c]
Information in this document applies to any platform.
1) Suppose one has an Access Policy having "Revoke If No Longer Applies" (RNLA) and Retrofit selected and attached to a Role.
2) A User was given that role and the Account was provisioned via this Access Policy.
3) Later the Access Policy was edited and "Disable If No Longer Applies" (DNLA) was now selected.
4) Now if the user is removed from that role, upon Access Policy evaluation, the Account is Revoked.
So changing between Revoke And Disable If No Longer Applies does not affect existing accounts. Is this by design?
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!