EGRC 8.6.x: Subsequent Control Analysis Run Not Setting the Status Correctly For Earlier Accepted Incidents (Doc ID 2010155.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Application Access Controls Governor - Version 8.6.3 and later
Information in this document applies to any platform.

Symptoms

On : 8.6.5.5000 version, Application Access Contr. Gov.

In Oracle Application Access Controls Governor (AACG), models and controls define conflicts among duties that can be assigned in a company’s applications, and identify users who have access to those conflicting duties.
AACG can also implement “preventive analysis” — it can evaluate controls as duties are assigned to users of the company’s applications, preventing them from gaining risky access.

ACTUAL BEHAVIOR
---------------
Subsequent Conflict Analysis(CA) run of controls is not setting incident status correctly where it is needed to be changed from Accepted to Assigned.

EXPECTED BEHAVIOR
-----------------------
Subsequent Conflict Analysis(CA) run of controls should be setting incident status correctly where it is needed to be changed from Accepted to Assigned.

STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. Control is for Entitlement 1 AND Entitlement 2
Entitlement 1 has f1
Entitlement2 has f3 and f4
Sub-policies:
f1ANDf3
f1ANDf4
2. R1 has f1, R3 has f3 and R4 has f4.
3. Initially user has R1 and R3.
4. Control run produces incidents and AIDE report shows following:
U>R1>f1 with Status(Assigned), Group(f1vsf3)
U>R3>f3 with Status(Assigned), Group(f1vsf3)
5. Accept the incidents shown in step4.
6. Add R4 to user, run access ETL and run CA for control.
7. Control run produces incidents and AIDE report shows following:
Actual:
U>R1>f1 with Status(Accepted), Group(f1vsf3 and f1vsf4)
U>R3>f3 with Status(Accepted), Group(f1vsf3)
U>R4>f4 with Status(Assigned), Group(f1vsf4)

Expected:
U>R1>f1 with Status(Assigned), Group(f1vsf3 and f1vsf4)
U>R3>f3 with Status(Accepted), Group(f1vsf3)
U>R4>f4 with Status(Assigned), Group(f1vsf4)


BUSINESS IMPACT
-----------------------
The issue has the following business impact:
Due to this issue, users cannot identify the new conflicts generated in new run of CA.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms