My Oracle Support Banner

OIM Access Policy for Child Table of Disconnected Application Gets Evaluated When Running Evaluate User Policies Scheduled Job Although Having No Change (Doc ID 2700165.1)

Last updated on AUGUST 13, 2020

Applies to:

Identity Manager - Version 11.1.2.3.0 and later
Information in this document applies to any platform.

Symptoms

A Disconnected Application having a child table is configured in Oracle Identity Manager (OIM). The Disconnected Application and its Entitlement based on the child table are provisioned to OIM users via an Access Policy.

The Disconnected Application and its Entitlement have been already provisioned to an OIM user. From this state, if the same user is evaluated by a different access policy, the process task "<UD_CHILD_FORM_NAME> Updated" is triggered to indicate that the Disconnected Application's child table has been updated even though not changed actually.

While the the "Evaluate User Policies" scheduled job is running, the following message indicating that the child table is updated and evaluated is logged to <OIM_SERVERNAME>-diagnostic.log file;

Changes

The issue occurs only when the system property "Allows access policy based provisioning of multiple instances of a resource" (Keyword: XL.AllowAPBasedMultipleAccountProvisioning) is TRUE.

Sample Testcase:

1. Change XL.AllowAPBasedMultipleAccountProvisioning to TRUE

2. Create a new Disconnected Application "DisconnectedApp01" with Entitlement.
3. Create a new Access Policy "TestAp01" for provisioning DisconnectedApp01 and its Entitlement.
4. Create a new Role "TestRole01" and assign TestAp01 to the role.

5. Create a new Access Policy "TestAp02" for provisioning an other resource. (Any resource also is OK even not Disconnected Application)
6. Create a new Role "TestRole02" and assign TestAp02 to the role.

7. Create a new OIM user "TestUser01" and assign TestRole01 to the user.
8. Run the "Evaluate User Policies" scheduled job.
9. Complete manual tasks for provisioning Disconnected Application.
--> At this time, one Disconnected Application and one Entitlement are provisioned.

10. Assign TestRole02 to the same user TestUser01. (This operation purpose is to make the user be the target of access policy evaluation. This role or resource itself has no meaning here)

11. Run the "Evaluate User Policies" scheduled job.
--> The issue occurs. The "<UD_CHILD_FORM_NAME> Updated" process task is triggered in the provisioned DisconnectedApp01 and its manual task is generated.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.