Entitlements Outside Roles certification option not taking into account indirect roles

(Doc ID 2347476.1)

Last updated on JANUARY 10, 2018

Applies to:

Identity Manager - Version and later
Information in this document applies to any platform.


User certification "Entitlements Outside Roles" option is not taking into account entitlements provisioned by indirect roles. 

To better understand the issue lets see a simple use case. 

There is an Access Policy TestAccessPolicy that provision an LDAP Account (OUD) together with entitlement TestRole1000



There is an indirect role IndirectRole tied to the access Policy TertAccessPolicy



There is a direct role DirectRole which parent role is  IndirectRole. 



DirectRole is assigned to user Pedro



Because IndirectRole is the parent of DirecRole it is assigned to the user automaticlaly



Once the job Evaluate Access Policies is run




The user will get provisioned and LDAP account OUD



and entitlement TestRole1000.



A user certification with option Entitlements Outside Roles is created and run




As a reminder the option Entitlements Outside Roles means that entitlements provisioned by an access policy should not be selected.

With that in mind when the reviewer opens the certification it should not see the entitlement TestRole1000 however as we can see that is not the case







Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms