Oracle Identity Governance (OIG) 12c: Installing One-off Patch 31838518 Unlocked Users Who Are Locked By An Administrator with Custom Admin Role Manually
(Doc ID 2916196.1)
Last updated on JULY 31, 2024
Applies to:
Identity Manager - Version 12.2.1.3.190624 and laterInformation in this document applies to any platform.
Symptoms
In Oracle Identity Manager (OIM) 12.2.1.3.190624, applying One-Off Patch 31838518 and running the scheduled job "Automatically Unlock User" unlocks all users who were manually locked by an Administrator.
Before applying the One-Off Patch, any locks manually set by an Administrator remained locked until manually unlocked by an Administrator.
TESTCASE STEPS
===========
1. Modify the default password policy to uncheck the "Permanent Lockout" and set "Lock Duration" as 10 minutes.
2. Create 4 users (for example - OIMU1, TESTLOCK1, OAMLOGIN1, SU1) all in Xellerate Users.
3. Create Admin Role called "ACC". Assign the "Capabilities" for "User - Lock", "User - Unlock" and "Modify Provisioned Accounts". Set the "Scope of Control" as "Xellerate Users".
4. Assign the Admin Role "ACC" to user SU1 to make SU1 a super user who can lock/unlock other users.
5. Verify in the Lightweight Directory Access Protocol (LDAP) that these 4 users are all active and can login to OIM.
6. Set the Scheduled job "SSO User Recon" to run every 5 minutes and the "Automatically Unlock User" to run every 6 minutes.
7. Login as user SU1 and manually lock the user TESTLOCK1.
8. Login as user OAMLOGIN1 and enter wrong password multiple couple of times to trigger login failure.
9. Login as user XELSYSADM and manually lock user OIMU1.
10. Now in the OIM Database (DB) for the USR table, TESTLOCK1 and OIMU1 are showing as manually locked per USR_MANUALLY_LOCKED=1. After running the "SSO User Recon" job, the OAMLOGIN1 is showing as locked without manually locked set.
11. After 10 minutes and both the "SSO User Recon" and "Automatically Unlock User" jobs have run, the TESTLOCK1 and OAMLOGIN1 are unlocked. Notice that the USR_MANUALLY_LOCKED attribute for TESTLOCK1 is set as 0.
The user TESTLOCK1 which is manually locked by super user SU1, should not be unlocked.
Changes
In Oracle Identity Manager (OIM) 12.2.1.3.190624 environment, applied One-Off Patch 31838518.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |