Hola,
One of the use cases we are looking to establish is to replace our current query based AD group memberships with Business Roles. The concept of configuring a pair of Business Roles and setting the other as a conflicting role is pretty straight forward.
Lets take the most basic use case often leveraged in this scenario. Say, we want to create a constraint against being both a member of an Accounts Payable vs Receivable role.
When A user requests this, a violation is triggered, and if configured an exception can be granted based on approval. Okgreat, easy peasy.
There is another scenario however where you do not necessarily want to grant an exception, but instead would like to remove the current membership to any conflicting roles if the new role was approved.
We have a scenario where certain application configurations are delivered based on a group membership. Membership in both groups would create a conflict in the app config, breaking the access.
A constraint based on Biz Roles seems like a great start, but how would we consider approaching the alternative scenario that I have explained above?
Any insights would be greatly appreciated.
Thanks!
V: 7.1.2
