Entitlements Outside Roles certification option not taking into account indirect roles
Last updated on JANUARY 10, 2018
Applies to:Identity Manager - Version 220.127.116.11.160719 and later
Information in this document applies to any platform.
User certification "Entitlements Outside Roles" option is not taking into account entitlements provisioned by indirect roles.
To better understand the issue lets see a simple use case.
There is an Access Policy TestAccessPolicy that provision an LDAP Account (OUD) together with entitlement TestRole1000
There is an indirect role IndirectRole tied to the access Policy TertAccessPolicy
There is a direct role DirectRole which parent role is IndirectRole.
DirectRole is assigned to user Pedro
Because IndirectRole is the parent of DirecRole it is assigned to the user automaticlaly
Once the job Evaluate Access Policies is run
The user will get provisioned and LDAP account OUD
and entitlement TestRole1000.
A user certification with option Entitlements Outside Roles is created and run
As a reminder the option Entitlements Outside Roles means that entitlements provisioned by an access policy should not be selected.
With that in mind when the reviewer opens the certification it should not see the entitlement TestRole1000 however as we can see that is not the case
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms