Mysterious password changes in OIM 11.1.2.3 and newer

There is a strange behavior of OIM 11.1.2.3, which appears to still be present in 12c, that causes unexpected password changes on accounts. Specifically, all encrypted fields on a parent UD table are set to NULL on access policy evaluation, which triggers any Password Updated-type provisioning actions. These will typically fail, resulting in an open task, because…