Exclude indirect assignment from system role in exceptional use cases

Question

Hello, 
 OIM version: 8.1.4 
 I am facing a problem and I would appreciate advice from the community. 
 Context ======= I have defined a system role that contains a number of AD Groups. As part of a joiner flow new employees receive this system role based on a dynamic business role, and thus the AD Group memberships are an indirect assignment. 
 Problem ======= In some exceptional cases one of the AD Groups (unfortunately not always the same AD group) that is part of the automatically assigned system roles need to be revoked for a specific employee (e.g. internet access, external mail access, ...). Since this assignment is indirect I cannot remove it, or I have to remove the system role assignment which would also remove the remaining AD Groups. 
 Question ======== What would be the correct way to solve this problem? 
 Thank you in advance for your recommendations. 
 Regards, 
 Wilke

Barry Jackson · Answer

Hi, 
 I don't think there is an easy way around this ..... if the entitlements are part of the dynamic assignment then they stay. You'll have to re-design this so that the entitlements are assigned as birthrights so that they can later be revoked. 
 HTH, Barry.

Barry Jackson · Answer

Hi Wilke, 
 Yes of course .... I meant assigned as birthrights by some mechanism you design .... not using the OOB birthrights app role. 
 So as you say you'll have to come up with a way of assigning the entitlements if you want to be able to remove them individually. 
 Perhaps create an IT Shop product that has all the entitlements as dependent products? 
 Auto-create an order for the main product which generates orders for the sub-products. 
 You could then abort singly the sub orders. 
 HTH, Barry.

Klaus Müller · Answer

You should be able to use Group/ESet exclustions for this (ADSGroupExclude or ESetExcludesESet). 
 For all Groups that might get excluded create an extra pair of ESets, a "GroupEset" and a "RemoveESet". Configure the RemoveESet to exclude the GroupEset, assign the groupEset to your Main SystemRole (or Business Role) instead of the group directly. For the identity that should be excluded, also assign the "RemoveESet". That should suppress the assignment of the ADGroup. 
 You can do the exclusion on the AD-Group level instead of ESet. But then you need that extra removeGroup in AD itself. But it might be feasible if there is some ADGroup for it already. 
 
 PS: I would like some condition on the BaseTree/ESet assignment tables for conditional inheritance. That would solve many similar usecases. But still waiting....

Christian Stevens · Answer

You might also want to have a look at support.oneidentity.com/.../36