Entitlements Outside Roles certification option not taking into account indirect roles

(Doc ID 2347476.1)

Last updated on JANUARY 10, 2018

Applies to:

Identity Manager - Version 11.1.2.3.160719 and later
Information in this document applies to any platform.

Symptoms

User certification "Entitlements Outside Roles" option is not taking into account entitlements provisioned by indirect roles. 

To better understand the issue lets see a simple use case. 

There is an Access Policy TestAccessPolicy that provision an LDAP Account (OUD) together with entitlement TestRole1000

 

 

There is an indirect role IndirectRole tied to the access Policy TertAccessPolicy

 

 

There is a direct role DirectRole which parent role is  IndirectRole. 

 

 

DirectRole is assigned to user Pedro

 

 

Because IndirectRole is the parent of DirecRole it is assigned to the user automaticlaly

 

 

Once the job Evaluate Access Policies is run

 

 

 

The user will get provisioned and LDAP account OUD

 

 

and entitlement TestRole1000.

 

 

A user certification with option Entitlements Outside Roles is created and run

 

 

 

As a reminder the option Entitlements Outside Roles means that entitlements provisioned by an access policy should not be selected.

With that in mind when the reviewer opens the certification it should not see the entitlement TestRole1000 however as we can see that is not the case

 

 

 

 

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms