Oracle Identity Governance (OIG) Child Request Incorrectly Reports Violation Despite Other Rejected Child Requests In Identity Audit (IDA) Rule
(Doc ID 2904899.1)
Last updated on NOVEMBER 07, 2022
Applies to:
Identity Manager - Version 12.2.1.4.220115 and laterInformation in this document applies to any platform.
Symptoms
The child request incorrectly reports violation even though other child requests have been rejected even though the parent request is still active/pending (i.e. "Request Awaiting Child Requests Completion). IDA preventive scans incorrectly reports a violation when the parent request is active even though the child request with the violating item is rejected. In preventive scan, it is assumed that, the entities(roles, app instances, entitlements) which are found in the pending requests will be granted to the user eventually.
STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. In Identity Self Service->Manage
Create an user: USER1
Create 3 roles: ROLE1, ROLE2 and ROLE3
2. In Identity Self Service-> Compliance ->Identity Audit -> Rules
Create a rule: RULE1
role[*].Role Name Equal role ROLE1 AND role[*].Role Name Equal ROLE3
3. In Identity Self Service-> Compliance-> Policies
Create an IDA Policy: POLICY1
Check "Evaluate during requests" and add the rule RULE1 created above
4. OIM admin console : Workflows -> Approval edit "Assign Roles" workflow and add a Rule:
Approval Workflow Configuration
Edit Rule: <RoleRule> Assign Role Rule
IF 1 Equal 1 THEN workflow Equal default/BeneficiaryManagerApproval!4.0
5. As 'xelsysadmin' within 'Identity Self Service' -> Request Access -> Request for others ->, Select user "USER1".
Submit a request for ROLE1 and ROLE2.
6. A parent request gets created (i.e. heterogeneous request). Go to Pending Approvals -> approve parent request.
7. The above request approval creates two child requests , one for ROLE1 and one for ROLE2.
8. Reject the child request having 'ROLE1' entity after providing the comments in Approvals -> Comments section.
ROLE2 request status-> Request Awaiting Approval
ROLE1 request status-> Request Rejected
Request status: Request Awaiting Child Request Completion
9. Now as xelsysadm user, try to raise a request. Request Access -> Request for others -> Select user "USER1".
Submit a request for ROLE3.
10. Now, monitor for violations.
The policy Violation was incorrectly reported.
Changes
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |