Preventive SOD Violation not detected in a bulk request when other Entitlements of same account are present in Pending Requests
(Doc ID 3024541.1)
Last updated on MAY 29, 2024
Applies to:
Identity Manager - Version 12.2.1.4.0 and laterInformation in this document applies to any platform.
Symptoms
In Oracle Identity Governance, the Preventive SOD Violation can be configured using IDA rule with a condition to evaluate during the request and stop the users from submitting the request. In some cases, the preventive SOD violation is not detected for Bulk request for entitlements when any of the other entitlement which are not part of the SOD violation rule for an account has been already requested for atleast one of the Bulk users as a pending request.
Changes
The following steps can be performed to verify the issue exists in your environment.
1. Make sure there are no pending requests(Request awaiting approval).
2. Create 2 users – TestUser1, TestUser2 and assign any application having entitlements for these users.
3. Choose any 4 entitlements of the above application, Ent1, Ent2, Ent3, Ent4.
4. Create IDA Rule and add an "And" condition for Ent1 and Ent2 with the "Evaluate during Request" checkbox selected.
5. Raise a request for Ent1 to TestUser1 – Approve. The Entitlement will get assigned to TestUser1
6. Raise a request for Ent4 for TestUser1– Don’t approve. It is necessary for at least 1 pending approval to be present for Testuser1.
7. Raise another request -> Request for others -> Add TestUser2 and TestUser2 -> Add Ent2 -> Try to submit
8. No violation is raised, even though TestUser1 had Ent1 assigned through an earlier request.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Changes |
Cause |
Solution |
References |