Retrofit Access Policy
If you select Retrofit Access
Policy, then the access policy is applied to all existing roles that you select
during access policy creation. It means if existing user have the selected Roles
then access policy will apply for those users also.
These evaluations do not
happen immediately after the action. Instead, they happen during the next run
of the Evaluate User Policies schedule task.
The evaluations can happen in the following
scenarios:
Policy definition is updated
so that the retrofit flag is set to ON. Policies are evaluated for all
applicable users.
A role is added or removed
from the policy definition. Policies are evaluated only for roles that is added
or removed.
A resource is added, removed,
or the Revoke If No Longer Applies flag value is changed for the resource.
In earlier releases of Oracle
Identity Manager, when the Revoke if no longer
applies option is selected in an access policy
and the policy is no longer applicable, both the account and entitlements
(child records) associated with the access policy are revoked. However, when
the flag is not selected and the policy is no longer applicable, the account
remains and the entitlements are revoked. Therefore, entitlements are revoked
irrespective of the value of theRevoke if no longer applies option set for the policy when policy ceases to apply.
In Oracle Identity Manager 11g Release 1 (11.1.1), the Revoke
if no longer applies option works not only at
the account level, but also at the entitlements level so that the entitlements
are not revoked if the option is not selected. For this enhancement to work,
you must set the value of the "XL.AccessPolicyRevokeIfNoLongerAppliesEnhancement"
system property to true.
When the value of the "XL.AccessPolicyRevokeIfNoLongerAppliesEnhancement" system property is true, then
the Revoke if no longer applies option is changed to Revoke resource and
entitlements if no longer applies. When the value of
this system property is false, then the Revoke if no longer applies option remains the same. By default, both the options are
selected. For more information about this system property, see "Administering
System Properties" in the Oracle
Fusion Middleware Administrator's Guide for Oracle Identity Manager.
When policy data is updated or
deleted. This includes both parent and child form data. Policies are evaluated
for all applicable users.
For more details follow the
Oracle website-
No comments:
Post a Comment