IGA business role membership expressions

Hi,

Is it possible in business role membership expression to exclude all members of another business role. 

I have a use case which requires that a user is added to only one of the business role, since these business role has similar criteria, the users can end up in more than one role which isn't desired in this case. There are several options in the membership expression to include or exclude a user or group, there is even one to include members of another business role, but I couldn't find anything to exclude one. Has anyone had a similar use case, and what have you done to achieve this.

  • Verified Answer

    +1  

    Hi Saifee,

    Well, it depends. Generally, there is no way to explicitly exclude (other) BR members directly in a BR definition.

    But you could try the following:

    First option (and probably the best) would be to tweak your BR membership criteria to better target only those users who should really be members of the role(s), to reduce overlap.

    Second option would be to exclude criteria at the user attribute level in the membership expressions, e.g. via a "NONE/NOT" comparison.

    Third option would be to define "SoD" policies that prevent unwanted BR combinations from a business point of view. A very simple example could be the following:

    Whereas SoDs typically make the most sense at a permission level...

    Best regards,
    Philipp