Oracle Identity Governance (OIG)220.127.116.11.220413: When Removing Entitlements From a User Account, the ENT_ASSIGN Entry Is Not Removed and the ENT_LIST_HIST is No Longer Updated
(Doc ID 2880845.1)
Last updated on JULY 18, 2022
Applies to:Identity Manager - Version 18.104.22.168.220413 to 22.214.171.124.220413 [Release 12c]
Information in this document applies to any platform.
In OIG 126.96.36.199.220413 (patch 34066601), when revoking an Entitlement from a provisioned user account:
- the ENT_ASSIGN_HIST table is not updated with the record
- the ENT_ASSIGN entry is not removed
- the child process form UD table entry is removed
Prior to OIG188.8.131.52.220413 and also in 184.108.40.206 and in 220.127.116.11, when removing an Entitlement from a provisioned user account, the ENT_ASSIGN_HIST table was updated with the removed Entitlement for auditing and the ENT_ASSIGN and child table entry was removed.
The change in behavior results in OIM being allowed to provision the child entry which creates duplicate Entitlements.
This is caused by an ER Bug 16305078. Normally, every child table will have a DB trigger which moves the data from UD child table to ENT_ASSIGN table and this trigger invokes the stored procedure OIM_SP_MANAGEENTITLEMENT. This ER has changed the UD child table's trigger definition where the 4th parameter is changed from NULL to UD_<CHILD_TABLE>_KEY for DELETE operation.
If the connector is installed freshly after applying the 18.104.22.168.220413 BP, the 4th parameter will have the right value (i.e UD_<CHILD_TABLE>_KEY instead of NULL) and there is no issue.
The issue happens only for the resources/app-instances installed prior to 22.214.171.124.220413.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document