Oracle Identity Manager (OIM) 11g and Oracle Identity Governance (OIG) 12c: Access Policy for Disconnected Application Child Table Gets Evaluated When Evaluate User Policies Scheduled Job Runs Even Though No Change (Doc ID 2700165.1)

Last updated on AUGUST 30, 2023

Applies to:

Symptoms

A Disconnected Application having a Child Table is configured in OIM.  The Disconnected Application and its Entitlement based on the Child Table are provisioned to OIM users via an Access Policy.

The Disconnected Application and its Entitlement have been already provisioned to an OIM user.  From this state, if the same user is evaluated by a different access policy, the process task "<UD_CHILD_FORM_NAME> Updated" is triggered to indicate that the Disconnected Application's child table has been updated even though not changed actually.

While the the "Evaluate User Policies" scheduled job is running, the following message indicating that the child table is updated and evaluated is logged to <OIM_SERVERNAME>-diagnostic log:

Changes

The issue occurs only when the system property "Allows access policy based provisioning of multiple instances of a resource" (Keyword: XL.AllowAPBasedMultipleAccountProvisioning) is TRUE.

Sample Testcase:

1. Change XL.AllowAPBasedMultipleAccountProvisioning to TRUE

2. Create a new Disconnected Application "DisconnectedApp01" with Entitlement.
3. Create a new Access Policy "TestAp01" for provisioning DisconnectedApp01 and its Entitlement.
4. Create a new Role "TestRole01" and assign TestAp01 to the role.

5. Create a new Access Policy "TestAp02" for provisioning an other resource. (Any resource also is OK even not Disconnected Application)
6. Create a new Role "TestRole02" and assign TestAp02 to the role.

7. Create a new OIM user "TestUser01" and assign TestRole01 to the user.
8. Run the "Evaluate User Policies" scheduled job.
9. Complete manual tasks for provisioning Disconnected Application.
--> At this time, one Disconnected Application and one Entitlement are provisioned.

10. Assign TestRole02 to the same user TestUser01. (This operation purpose is to make the user be the target of access policy evaluation. This role or resource itself has no meaning here)

11. Run the "Evaluate User Policies" scheduled job.
--> The issue occurs. The "<UD_CHILD_FORM_NAME> Updated" process task is triggered in the provisioned DisconnectedApp01 and its manual task is generated.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.