Known Issues for IAM without Identity Domains

Known issues have been identified in IAM without Identity Domains.

Security questions are not available as MFA factors

Details: Security questions as MFA factors are causing region subscription issues for cloud accounts that use IAM identity domains.
Workaround: Security questions as MFA factors are causing region subscription issues for cloud accounts that use IAM identity domains.

Details: Policy statements that reference a group or dynamic group by name remain valid even through changes to the group or dynamic group name. Any access granted to the group or dynamic group by its previous name persists. The policy continues to grant the members of the group or dynamic group access to resources without any changes to the policy statement itself. This happens because IAM applies the policy to the subject OCID rather than its name.
Workaround: Oracle strongly recommends that you update policy statements to stay current with intended group or dynamic group names or to reference subject OCIDs instead. Also delete any policy statements with outdated references that you no longer need.

Details: When a new permission is added to an existing resource-type, the permission is not propagated to any policies that include the resource-type. This happens because IAM does not recompile a policy unless there is a change to the policy statement.
Workaround: For any existing policies that use resource-types, when new permissions are added to the resource-type, edit the policy by adding a blank space. Then, save the policy.

Details: Deleted compartments continue to count against the compartment service limit for your tenancy. A deleted compartment is removed from the count after 90 days. This is also the setting that specifies the time period for deleted compartments to remain displayed in the Console.
Workaround: Until this issue is resolved, you can request to have your service limit increased for compartments. See Requesting a Service Limit Increase.