I was trying to automate a PBCS security update process where in I download existing security from PBCS, have the admin update specific groups xml files and then re-upload the security back to PBCS. The planning security download contains one xml file for each group that has been provisioned. The xml file contains the member level security that has been assigned to the group.
After a clean up of unwanted groups, I noticed that the planning security that gets exported also contained specific xml files for groups that had been deleted through access control. I also noticed that these groups were still present on the members on which they had been assigned as part of security setup. I removed the security manually and then re-exported the planning security. This time as well, the xml files were present however they did not contain the security definition.
You can recreate this issue with the below steps:
1. Create a new Group in Access Control and assign access to one of the members in any dimension
2. Export Security – You can see the newly created group in LCM export.
3. Now delete the group from Access Control
4. Export Security again – The group that was deleted, is still present in the LCM export.
I logged a call with Oracle Support and we concluded that this was a bug. A workaround (DOC ID 2077859.1) was given which is basically exporting a complete security back up using LCM and importing the same without any change. After this the new LCM export will not contain the deleted groups. Looks like an import operation was necessary to force the synchronization.
I guess an on-prem equivalent of “Remove Non-Provisioned Users/Groups” option is needed to force the synchronization and may be an epm automate command so the synchronization could be automated. Better still, would be to auto synchronize every time a group deletion was performed.