Regarding dynamic roles provisioning and deprovision control

Hello All,

I am using a dynamic role in order to provision users based on a particular attribute value, however, if a user no longer has this value, I do not want the dynamic role to trigger a deprovision, the user and lose the account definition.   Is there a way to create a dynamic role such that it can only provision?  Is it also possible to create a dynamic role that will only deprovision if certain logic criteria is met?  If not possible what are some ways this issue can be address where you want users to be automatically provisioned based on one attribute, and not deprovioned based on that same attribute?  And then another process where deprovisioning can happen automatically, but separate?

Thanks for any suggestions

  • Hi,

    One customer I know added a boolean flag to the account definition called 'Retain account on account definition removal'.  They then modified the PersonHasTSBAccountDef_AutoDeleteAccount (name NOT correct) process to only disable the account if the acc def is removed and this flag is set ...... otherwise do normal processing.  In doing this when the Acc Def is removed the account is disabled but retained.  Other custom processes are used to delete/remove the account after a set period or other criteria.

    Perhaps this is what you need?

    Regards, Barry.

  • Do not use a dynamic role, but a normal one and assign the user via a process chain listening on the INSERT or UDPATE event on the person with the generation condition that the particular attribute has changed to your desired value.

    Way easier than messing with the intended behavior of the dynamic role.