Birthright Access

Birthright access refers to a set of default permissions automatically granted to users using Oracle Access Governance automated policies to ensure new joiners have essential access before or at the start of employment..

Oracle Access Governance grants birthright access to

• Prehire: Start date is in the future.
• Hire: Start date is now or in the past; not terminated.

Employee State	AG Status	Status (from Authoritative Source)	Join Date (from Authoritative Source)	Termination Started	Termination Date (from Authoritative Source)
Prehire	AG Active	Disabled	Greater than today	FALSE	Greater than today
Hire	AG Active	Active	Less than or equal to today	FALSE	Greater than today

Prerequisites

Ensure the following prerequisites to grant birthright access from Oracle Access Governance:

1. The Authoritative source must include employee attributes, including the official Joining date or Start date
2. Create system attribute and global identity attribute to fetch source value
3. The Authoritative source must include termination date or last working date orchestrated system attribute.
4. Create a global AG identity attribute terminated
5. Set Workforce/Consumer conditions for activation

Step 1: Create System Attribute and Global Identity Attribute for JoinDate

1. Create a simple system attribute joinDate and map it to the joining date source, such as startDate. See Create System Attribute.
2. Now, go to the Identity Attributes page and search joinDate core identity attribute. Edit the core identity attribute to select the relevant orchestrated system and update the Value source with a single attribute rule, such as:

   if (user.getCustomAttributes() != null) 
   { user.getCustomAttributes()['startDate'] }
   

   See Manage Attributes Settings.

Step 2: Create a Global Identity Attribute to Exclude Terminated Users

Create an AG Attribute, terminated, for policies that grant birthright access prior to the joinDate in order to exclude terminated users from being assigned permissions via these policies. Here terminationDate is the last working date source from your Authoritative source.

1. Go to the Identity Attributes page and create a internal AG Attribute, terminated, of type Boolean. For details, see Create an Oracle Access Governance Attribute.
2. Use the single attribute rule to compare terminationDate with today. If terminationDate is less than or equal to today, it returns true; otherwise, it returns false, such as:

   if( user.getStatus() == 'Disabled' && user.getCustomAttributes() != null && user.getCustomAttributes()['terminationDate'] != null ) 
   { var currentDate=new Date(); 
   var today = new Date(currentDate.getFullYear(),currentDate.getMonth(),currentDate.getDate(),23,59,59,999); 
   var terminationDate = new Date(user.getCustomAttributes()['terminationDate']); 
   if(terminationDate <= today) 
   { true } 
   else { false } 
   } 
   else { false } 

3. Select appropriate identity flags to include this attributes in the Oracle Access Governance features

Step 3: Configure Workforce/Consumer Activation Rules

Go to the Manage Identities page and set the following activation rules:

• For Active users:

  Status In Active Disabled

• For Consumer users:

  Status Equals Disabled

Birth Right Access Workflow

You can configure birthright access from Oracle Access Governance by creating identity collections, packaging permissions in an access bundle, and then configuring policies to ensure new hires have essential access before or at the start of employment.

1. Create an Identity Collection based on membership rules. See Create Identity Collections.
   1. For users to grant access on or after start date.

      Status Equals Active
      Worker Type Equals Employee

   2. For pre-hires to grant access before the start date

      {JoinDate} Number of days before {10}
      {Terminated} Equals {False}

      Note:

      • To grant access on or after the start date, you must add a condition Status Equals Active.
      • If you configured your policy using today(), then each day, an in-house scheduler adds new member who meet the membership criteria. Based on the configuration, the policy is triggered every day at midnight.
2. Create an Access Bundle and package access to necessary permissions. For example, access to default collaboration tools. See Create Access Bundle.
3. Create a policy and associate the permissions part of the access bundle with identity collection. See Create a Policy.

Pre-hire Example

Let's understand complete birthright access workflow for pre-hires, where access should be granted before the start date.

Alice is expected to join Acme Corporation on March 20. As an AG_Administrator and AG_AccessControl_Admin , grant the following:

1. Ensure you configure the prerequisites to activate workforce rules and ingest start date in the joinDate core attribute.
2. Create an identity collection with the membership rule:

   {JoinDate} Number of days before {10}
   	{Terminated} Equals {False}

3. Package permissions in an access bundle for the default collaboration or enterprise tools. You can further configure to ensure No one can request this access bundle and should be granted only using policy.
4. Create a policy and associate the permissions part of the access bundle with identity collection.

For Alice, if join date is March 20, the policy is triggered on March 10 to grant birthright access.

Validating the Configuration

Verify if the set up is correct.

1. From System Administration, select Identity Attributes, and then enable Include in identity details and Include in manage identities flag for the following identity attributes: status, startDate, joinDate, terminated, terminationDate, and terminationStarted.
2. From Who has access to what, select Enterprise wide browser, select identities, select Edit list settings, and then add the following attributes to the list settings: status, startDate, joinDate, terminated, terminationDate, and terminationStarted.
3. Validate the following for identities loaded from the Authoritative Source system:
   • The startDate and joinDate attributes must be set to the same value.
   • Identities with a startDate in the future and a terminationDate that is not set or is in the future must have the following values:
     • status=Disabled
     • AG status=Active
     • AG subtype=Consumer
     • terminated=false
   • Identities with a startDate in the past and a terminationDate that is not set or is in the future must have the following values:
     • status=Active
     • AG status=Active
     • AG subtype=Workforce
     • terminated=false
   • Identities with a terminationDate in the past must have the following values:
     • status=Disabled
     • AG status=Active or Inactive (depends on how the group is configured; if these are Oracle Access Governance Active identity collections for pre-hire policies, then it must have the terminated=false condition)
     • AG subtype=Consumer (if these identities are loaded to Oracle Access Governance, then it must be f type Consumers)
     • terminated=true

---

Title and Copyright Information

Copyright ©2026,2026,

Oracle and/or its affiliates.

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customer access to and use of Oracle support services will be pursuant to the terms and conditions specified in their Oracle order for the applicable services.