My Oracle Support Banner

Adding New Entitlements To and Existing Access Policy Does Not Trigger a Re-Evaluation of the Policy for Existing Users (Doc ID 2789168.1)

Last updated on JULY 20, 2021

Applies to:

Identity Manager - Version and later
Information in this document applies to any platform.


Customer has an access policy that provisions account and entitlements for one or more LDAP targets (OUD, AD).  The access policy has the 'Retrofit' flag checked.  When a new entitlement is added to the access policy, no update occurs to the USER_PROVISIONIONING_ATTRS table for member users, so the new entitlement is not provisioned.  Other changes do trigger a re-evaluation for existing users.   If users become eligible for the access policy (via role membership), the new entitlement is also provisioned to them. 

So the issue is, entitlements added to an access policy are not provisioned to users that are existing members of roles attached to that policy.  The entitlement is not retroactively provisioned. 


 Upgrade to 12c.


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.