Oracle Access Governance: New Updates for Identity Lifecycle Automation, Event-Based Reviews, and Identity Orchestration

Oracle Access Governance (AG) continues to evolve with new capabilities that help organizations improve identity security, automate access lifecycle processes, and manage access governance across a broader set of enterprise systems.

As identity environments become more complex, security and business teams need governance processes that are not only periodic, but also responsive to business events. A new hire may need access before the joining date. A departing employee may need access revoked before the final termination date. A department, location, or manager change may need a focused access review. Identity data may also come from multiple trusted systems, requiring bet ter ways to ingest, correlate, and govern that data.

The latest AG updates address these needs across four key areas:

• Birthright Access and Early Termination
• Global Account Termination Settings
• Event-Based Micro-Certification
• Identity Orchestration Updates

Together, these enhancements help organizations align access governance more closely with business events, reduce manual effort, and improve visibility across identities, accounts, and access.

Birthright Access and Early Termination

Joiner and leaver processes are not always as simple as “grant access on start date” and “revoke access on termination date.” In many organizations, employees need access before their official joining date so that they are productive on day one. Similarly, in early termination, notice period, or garden leave scenarios, access may need to be revoked before the final termination date.

AG now supports birthright access assignment based on joining date and early termination handling before the final termination date. Administrators can use lifecycle attributes from the authoritative source to drive access provisioning and deprovisioning. Access can be assigned using Identity Collections, Access Bundles, and Policies, enabling policy-driven lifecycle automation.

(Screenshot: PBAC based on joining date)

With this update, organizations can support pre-hire access scenarios and early access revocation without relying only on manual intervention.

Key capabilities include:

• Assign birthright access based on joining date
• Support policy-based access provisioning for pre-hires
• Enable access provisioning before the employee’s joining date
• Revoke access before the final termination date when early termination applies
• Use lifecycle attributes from the authoritative source to drive provisioning and deprovisioning

Benefits:

• Improves day-one readiness for new hires
• Aligns identity lifecycle automation with business-effective dates
• Reduces security risk by revoking access before the final termination date when required
• Reduces dependency on manual joiner and leaver handling

Global Account Termination Settings

Termination handling needs to be consistent, but it also needs flexibility.

Some organizations may want to disable accounts when early termination begins and delete accounts at final termination. Others may want no action for certain applications because those systems have separate business or regulatory processes. In larger enterprises, termination behavior may also vary by user population, geography, worker type, or managed system.

AG now provides Global Account Termination Settings to define centralized account termination behavior across managed systems.

(Screenshot: Global Account Termination settings)

Administrators can configure what should happen to managed accounts during early termination and final termination. Supported actions include disabling accounts, deleting accounts, or taking no action. Administrators can also define override rules for selected managed systems and user populations so that business-specific exceptions can be handled without changing the global policy. This gives organizations a centralized way to manage termination behavior while still supporting exceptions where needed.

(Screenshot: Global Account Settings)

Key capabilities include:

• Apply centralized termination behavior across managed systems
• Configure actions for early termination and final termination
• Support different account lifecycle actions at termination start and termination end
• Use policy-driven account actions to reduce manual termination handling
• Support override rules for selected managed systems and user populations
• Handle business-specific offboarding exceptions through global and override settings

Benefits:

• Centralizes termination handling across managed systems
• Supports phased offboarding strategies
• Reduces residual access risk during employee exit
• Allows exceptions for applications or user populations with different business needs

Event-Based Micro-Certification

Periodic access reviews remain important, but some access changes should be reviewed when the business event happens. For example, when an employee changes department, manager, location, job role, or another key identity attribute, the user’s existing access may no longer be appropriate. Waiting until the next quarterly or annual campaign may leave unnecessary access in place for too long.

AG now enhances event-based micro-certification so that administrators can trigger focused access reviews when selected identity attributes change. Administrators can configure event-based review setup and refine its scope by selecting the identity population using attribute values, narrow the review scope to specific applications, roles, or permissions, and use different workflows for each event configuration. This makes access reviews more timely and more focused.

(Screenshot: Event-based micro certification setup)

Key capabilities include:

• Trigger access reviews when selected identity attributes change
• Support event-based setup using core and custom identity attributes
• Enable multiple event definitions for the same attribute based on different value changes
• Refine the review population using attribute values
• Refine review scope to specific applications, roles, or permissions
• Support distinct workflows for each event configuration

Benefits:

• Helps review access at the time of a joiner, mover, or leaver event
• Reduces dependency on periodic campaigns for event-driven access risk
• Reduces certification fatigue by creating review tasks only for affected identities
• Enables different workflows for different business scenarios

Identity Orchestration Updates

Identity governance depends on the quality of identity and account data. Organizations need to know where identities come from, how attributes are maintained, how accounts are correlated, and which systems are governed.

The latest AG updates improve identity orchestration in three areas:

1. Authoritative source configuration for identity attributes
2. Identity and account correlation modes
3. New integrations

Authoritative Source as Source of Identity Attributes

Many enterprises do not have one single system that owns every identity attribute. One system may create the primary identity record, while other trusted systems may contribute additional attributes such as department, location, worker type, job data, project details, or business-specific attributes.

AG now provides more flexibility in how authoritative sources are configured. Administrators can configure an authoritative source as either:

• a source of identities and attributes, or
• a source of identity attributes only

This means one system can remain responsible for identity creation, while additional trusted systems can contribute identity attributes without requiring full identity ingestion.

(Screenshot: Orchestrated System configuration as source of identities only)

Key capabilities include:

• Enable authoritative source to contribute identity attributes without full identity ingestion
• Support one system for identity lifecycle and other systems to contribute identity attribute values
• Extend existing identities with attributes from additional trusted sources

Benefits:

• Supports multi-source enterprise identity systems
• Improves the identity profile while reducing duplicate identity risk
• Provides greater administrative flexibility in source system modeling
• Helps organizations use trusted identity data from more than one system

Identity and Account Correlation Modes

Identity and account correlation is foundational to access governance. If accounts are not correctly associated with identities, it becomes harder to review access, automate lifecycle actions, provision access, and report on who has access to what.AG now gives administrators more control over how matching rules are applied during data ingestion.

Matching rule modes include:

• Enable
• Enable for new
• Disable

These modes apply to both identity correlation and account matching.

With Enable, matching rules are applied broadly, including re-evaluation of existing matched records. With Enable for new, matching is applied only to newly ingested records while preserving existing matches. This helps administrators introduce updated matching logic without disturbing established correlations. With Disable, existing matches are preserved, but new automatic matching is not performed.

AG also provides visibility into identities synchronized from authoritative sources and accounts reconciled from managed systems, including their correlation status.

(Screenshot: Identity and Account Correlation modes)

Key capabilities include:

• Control how matching rules are applied during data ingestion
• Provide visibility into identities and accounts ingested from integrated systems

Benefits:

• Provides greater control over how correlation rules are applied during ingestion
• Reduces unintended re-matching during recurring data loads
• Supports safer rollout of updated matching rules

New Integrations

AG continues to expand integration coverage so customers can govern more applications and systems from a centralized identity governance platform.

The latest updates include new integrations with:

• Palo Alto Networks Prisma Cloud
• Oracle Warehouse Management Cloud
• Oracle Utilities WACS
• Oracle Utilities CCS

These integrations expand AG coverage across cloud security, warehouse management, and utility applications. They also continue the broader direction of enabling governance across both Oracle and non-Oracle workloads.

Benefits:

• Extends access governance to more enterprise applications
• Helps customers centralize visibility and governance across additional systems
• Supports identity orchestration across a broader application landscape

Bringing It Together

These updates strengthen Oracle Access Governance across lifecycle automation, access reviews, and identity orchestration.

Birthright Access and Early Termination help organizations align access provisioning and revocation with business-effective dates. Global Account Termination Settings provide centralized control over offboarding behavior, with flexibility for exceptions. Event-Based Micro-Certification helps teams review access when important identity changes happen. Identity Orchestration updates improve how identity data is sourced, matched, and governed across integrated systems.

Together, these capabilities help organizations reduce manual effort, improve security, and make identity governance more responsive to real business events.

To learn more about Oracle Access Governance, explore:

• Oracle Access Governance
• Oracle Access Governance datasheet
• What’s New in Oracle Access Governance
• Oracle Access Governance Blogs