My Oracle Support Banner

OIM "Evaluate User Policies" Job Does Not Add Or Remove AD Groups During Role Changes (Doc ID 2354429.1)

Last updated on FEBRUARY 26, 2019

Applies to:

Identity Manager - Version and later
Information in this document applies to any platform.


When the Role changes entitlements related to old role access policy is not getting removed and no new entitlements related to new role are added to the users after running the  OIM "Evaluate User Policies" scheduler job. One expects that when role change happens OIM should remove entitlements related to the old role and add the entitlements related to new Role.

This is can be reproduced by following the below mentioned Steps:

1.Installed two connectors :(LDAP connector with OUD and AD connector with AD )

2.Created two roles  based on department number (AD Role 1: Department==1 ,AD Role 2: Department==2)

3.Created 2 access policies  (Access policy 1: This has two application instances AD And OUD and 3 entitlements each ....Access policy 2 : this has AD and OUD and 3 entitlements each. one entitlement is common for AD and OUD from first access policy)

4.Created a user with Department number 2 this has assigned AD Role 2 user.

5.Now Ran the evaluate user access policy 

6.Now user has two application instances (AD and OUD ) and 6 entitlements (3 from OUD and 3 from AD)

7.Now modified the user and changed the department number to 1 and ran the evaluate user access policy 

8.Expectation is that OIM should remove the entitlements related to Access policy 2 and add the entitlements related to access policy 1. But the old entitlements related to access policy 2 are still exist and no new process tasks triggered with any of the application instance.



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.