Hello,
writing here if anyone has any idea or knows what is happening.
Basically, I would like to clean up a group of old roles, but I would like to ensure no user has them assigned anymore.
So what I did is I created an LDAP query to recognize them all (cca 500). Then I used the results of that query (lets says every DN result is x), to check if there are any nrfRequest objects (nrfSourceDN=x).
I found just one object that was even from a few days ago (most of the requests should be only for max 14 days).
Now just to double check I remembered that there is also nrfAssignedRoles attribute value for approved roles, so I checked that aswell (nrfAssignedRoles=x#0#*), what puzzles me here is that I got 500+ users that still have the old roles assigned although I have only found one request object tied to only one user.
There is a possibility that the requests made were not temporary, but still, I would expect nrfRequest objects to exist for those requests and not get cleaned up. I also I double-checked and those users have the corresponding entitlements to old roles...
Thank you in advance for any comments
Kind regards
Žan