Closed-loop remediation is a feature that allows you to directly revoke roles, application accounts, and entitlements from the provisioning solution as a result of roles and entitlements revoked during the certification process.
When a certification is complete and all primary review tasks have been signed off, Oracle Identity Manager attempts to remove every user and privilege for which the final decision was to revoke. Requests are created to de-assign any role-assignment that is revoked, to de-provision any account that is revoked, to remove any entitlement-assignment that is revoked, and to delete or disable any user that is revoked. Specifically:
Revoking a user deletes/disables the user and removes all privileges of that user.
Revoking a user's role-assignment removes that member from the role. This might eventually cause provisioning to remove accounts and entitlement-assignments granted by the role (if those accounts and entitlement-assignments are not otherwise granted to the user.)
Revoking a user's account deletes/disables the account. This implicitly removes/disables any entitlement-assignments associated with that account.
Revoking a user's entitlement-assignment removes the assignment from the account that contains it.
The remediation status can be tracked in the request catalog for auditing purposes. Each remediation-request contains the certification ID of the certification that spawned the request, which allows the Dashboard to link to the Track Requests page of Oracle Identity Self Service to display the status of all the requests associated with the certification that is being displayed.