On IdM 4.7.4 (netiq-DXMLrrsd-4.7.4-1) edir 9.2.1
Perhaps someone can come up with an idea here.
The client has a lot of roles, which need to be "remade".
The are using resources/entitlements, which joins users to groups via dynamic resources.
The steps involved
1) Make sure the driver with entitlements does not disjoin users from the group (disabled the rule that does that)
2) Delete the old roles
3) Make the new role with a new resource entitlement combination
4) Join group members to the new role
The issue is in step 2
When a role is deleted, we see a modify event on the RRS driver:
<modify cached-time="20210125111656.652Z" class-name="nrfResourceAssociation" event-id="idv04#20210125111656#1#18:17f20282-f4c9-41e8-83e8-8202f217c9f4" qualified-src-dn="O=top\OU=system\CN=IDMDriverSet01\CN=ua01\CN=AppConfig\CN=RoleConfig\CN=ResourceAssociations\CN=20160516183428-8ccb947e3e3b42a59a753f180b150568" src-dn="\IDVTREE\top\system\IDMDriverSet01\ua01\AppConfig\RoleConfig\ResourceAssociations\20160516183428-8ccb947e3e3b42a59a753f180b150568" src-entry-id="77623" timestamp="0#0">
<value timestamp="1463416468#74" type="dn">\T=IDVTREE\O=top\OU=system\CN=IDMDriverSet01\CN=ua01\CN=AppConfig\CN=RoleConfig\CN=RoleDefs\CN=Level10\CN=requestable\CN=admnetrequestable\CN=application\CN=1DBFEF65F539B2D646F6D9C39A792D01</value>
This event typically takes around 2-3 minutes to process, even when the role has only been assigned to 2 users.
On top of that, the process of handling the delete value on the users and deleting the roles themselves comes on top of this.
We have a lot more than 1000 roles we need to do this with.
For 1000 roles, it will take several days to process.
The main issue being the modifyResource association event.
The transactions will sort of stack up, no one else will be able to get any events through the RRS driver, which is devastating for the clients business.
Does anyone have an idea on how this could be done in a sane way, without compromising the clients system for weeks?