Oracle Identity Governance (OIG) 12c Certification With "include Entitlements Provisioned By Access Policy" Option Only Ignores Entitlements Where Ent_assign_prov_mechanism="ACCESS POLICY" (Doc ID 2705035.1)

Last updated on APRIL 10, 2023

Applies to:

Symptoms

The certification definition has "include entitlements provisioned by access policy" not checked and this should ignore all the entitlements provisioned via access policy but it only ignore entitlements where Ent_assign_prov_mechanism="ACCESS POLICY" and not AP HARVESTED and ACCESS POLICY VIA REQUEST.

Steps to create the issue:

System properties setting requirement:
XL.AllowAPHarvesting TRUE
XL.AllowAPBasedMultipleAccountProvisioning TRUE
Account Discriminator set to true in Parent form in design console.

1. Create any test user and assign him role TestRole1 (this role is tied to the access policy 1 to provision OUD account with no entitlement) and run Evaluate User Policies job. The testing user should have an OUD provisioned
2. Have him login identity console and request two entitlements TestRole1005 and TestRole1006 and complete the request so that entitlements TestRole1005 and TestRole1006 were provisioned
3. Assign this user role TestRole2 (this role is tied to access policy 2 configured with 2 OUD entitlements TestRole1005 and TestRole1006) and run the Evaluate User Policies job. Now ENT_ASSIGN_PROV_MECHANISM column has new records with ACCESS POLICY VIA REQUEST entitlements.
4. Create the certification task as Entitlement type of certification, and uncheck the Include Entitlements Provisioned By Access Policy option
5. Run the job, and it includes the entitlements with 'ACCESS POLICY VIA REQUEST'

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.