After Upgrade to Oracle Identity Governance (OIG) 12c: Adding New Entitlements To and Existing Access Policy Does Not Trigger a Re-Evaluation of the Policy for Existing Users (Doc ID 2789168.1)

Last updated on APRIL 05, 2023

Applies to:

Symptoms

Customer has an access policy that provisions account and entitlements for one or more Lightweight Directory Access Protocol (LDAP( targets such as Oracle Universal Directory (OUD and Active Directory (AD).  The access policy has the 'Retrofit' flag checked.  When a new entitlement is added to the access policy, no update occurs to the USER_PROVISIONIONING_ATTRS table for existing member users, so the new entitlement is not provisioned.  Other changes do trigger a re-evaluation for existing users.   If users become eligible for the access policy (via role membership), the new entitlement is also provisioned to them. 

So the issue is, entitlements added to an access policy are not provisioned to users that are existing members of roles attached to that policy.  The entitlement is not retroactively provisioned. 

Changes

 Upgrade to 12c.

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.