Exclude indirect assignment from system role in exceptional use cases

Hello,

OIM version: 8.1.4

I am facing a problem and I would appreciate advice from the community.

Context
=======
I have defined a system role that contains a number of AD Groups. As part of a joiner flow new employees receive this system role based on a dynamic business role, and thus the AD Group memberships are an indirect assignment.

Problem
=======
In some exceptional cases one of the AD Groups (unfortunately not always the same AD group) that is part of the automatically assigned system roles need to be revoked for a specific employee (e.g. internet access, external mail access, ...). Since this assignment is indirect I cannot remove it, or I have to remove the system role assignment which would also remove the remaining AD Groups.

Question
========
What would be the correct way to solve this problem?

Thank you in advance for your recommendations.

Regards,

Wilke

Parents Reply Children
  • Hello Barry,

    If the entitlements are assigned as birthright, isn't this the same concept as a dynamic role? I was thinking to create a process to assign the role and ensure it is a direct assignment. I guess this role assignment can then later be removed and replaced by another role with the adjusted entitlements. 

    Testing this out entails quite some modifications and therefore I wanted to have first some advice.

    Thank you for your support.

    Regards,

    Wilke

  • Hi Wilke,

    Yes of course .... I meant assigned as birthrights by some mechanism you design .... not using the OOB birthrights app role.

    So as you say you'll have to come up with a way of assigning the entitlements if you want to be able to remove them individually.

    Perhaps create an IT Shop product that has all the entitlements as dependent products?

    Auto-create an order for the main product which generates orders for the sub-products.

    You could then abort singly the sub orders.

    HTH, Barry.