Oracle Identity Governance (OIG) Child Request Incorrectly Reports Violation Despite Other Rejected Child Requests In Identity Audit (IDA) Rule (Doc ID 2904899.1)

Last updated on NOVEMBER 07, 2022

Applies to:

Symptoms

The child request incorrectly reports violation even though other child requests have been rejected even though the parent request is still active/pending (i.e. "Request Awaiting Child Requests Completion).   IDA preventive scans incorrectly reports a violation when the parent request is active even though the child request with the violating item is rejected. In preventive scan, it is assumed that, the entities(roles, app instances, entitlements) which are found in the pending requests will be granted to the user  eventually.


STEPS
-----------------------
The issue can be reproduced at will with the following steps:

1. In Identity Self Service->Manage

     Create an user:  USER1

     Create 3 roles:  ROLE1, ROLE2 and ROLE3
 
2. In Identity Self Service-> Compliance ->Identity Audit -> Rules

     Create a rule: RULE1

     role[*].Role Name Equal role ROLE1 AND role[*].Role Name Equal  ROLE3

3. In Identity Self Service-> Compliance-> Policies

     Create an IDA Policy:  POLICY1

     Check "Evaluate during requests" and add the rule RULE1 created above

4. OIM admin console : Workflows -> Approval edit "Assign Roles" workflow and add a Rule:

     Approval Workflow Configuration

     Edit Rule: <RoleRule> Assign Role Rule
     IF 1 Equal 1 THEN workflow Equal default/BeneficiaryManagerApproval!4.0

5.  As 'xelsysadmin' within 'Identity Self Service' -> Request Access -> Request for others ->,  Select user "USER1".

     Submit a request for ROLE1 and ROLE2.

6. A parent request gets created (i.e. heterogeneous  request). Go to Pending Approvals -> approve parent request.

7. The above request approval creates two child requests , one for ROLE1 and one for ROLE2.

8. Reject the child request having 'ROLE1' entity after providing the comments in Approvals -> Comments section.

     ROLE2 request status-> Request Awaiting Approval
     ROLE1 request status-> Request Rejected

     Request status: Request Awaiting Child Request Completion

9. Now as xelsysadm user, try to raise a request.  Request Access -> Request for others -> Select user "USER1".

     Submit a request for ROLE3.

10. Now, monitor for violations.

    

The policy Violation was incorrectly reported.

Changes

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.