I am using a dynamic role in order to provision users based on a particular attribute value, however, if a user no longer has this value, I do not want the dynamic role to trigger a deprovision, the user and lose the account definition. Is there a way to create a dynamic role such that it can only provision? Is it also possible to create a dynamic role that will only deprovision if certain logic criteria is met? If not possible what are some ways this issue can be address where you want users to be automatically provisioned based on one attribute, and not deprovioned based on that same attribute? And then another process where deprovisioning can happen automatically, but separate?
Thanks for any suggestions