I believe if you have automatic fulfillment assigned to that particular role/application it should trigger the respective role/applications fulfillment method. 

Thanks Nihii,

But I do not see anyplace to setup Role fulfillment?Am I missing something?

If the user is removed from the Business Role the application fulfillment kicks in and works as expected. But I have not found a way to automate the Role fulfillment?

Aren't business role assignments based on attributes of the user?   If someone shouldn't be in a business role, shouldn't one of their attributes change?   How are you assigning business role membership?

--Jim

Hi Jim,

In this case the users are assigned directly to the Business Role by "Included Users."
I do know there is an option to use "Membership expression" for Business Role membership. But either way I am not sure how it is possible to do automatic fulfillment?

When doing a business role membership review and the reviewers decision is to remove the users from the business role, I am not seeing a way to configure fulfillment. My thought would be the fulfillment could be configured to either remove the directly assigned user or change an attribute that results in the Membership expression match.

-Thanks, Tony

I think I undertand what you are trying to get at.   I look at business roles as a policy type  of object.  If the identity has certain attributes that makes the policy apply, then they get the authorizations.  They make the reviews easier, when certain circumstances outside of IG occur (when an identity attribute fits a criteria).   

There is a "remove business role from user" fulfillment type, but I'm not sure how that would be used - I'm not aware of any of the out of box fulfillers that can perform that fulfillment type.   I'm guessing the business role review targets a user object (not an account, since business roles are only held by identities/users), and on its revocation, this fulfilment type would go to one of the fulfillers assigned on the catalog update setup tab in fulfillment configuration?  ?   I'm not sure where that remove business role from user type would expose itself, or who would handle it for the identity source.

Here is a thought though - Since you want to assign/revoke the business role to/from users, what if you made it a group in your identity source, and you collected that group (as a group) on the identity collector.  Then you could make business role membership use the criteria of that group membership.    Separately, but in parallel, you might-could collect the same group as a permission in an application collector.  When a review of that permission sees a revoke happen, the fulfiller should be able to remove the group membership.  Then on next identity collection, the user isn't in the group, and the business role membership should be removed.

I don't think that's how any of that is intended to work, but it just might, if you are set on using a business role.

--Jim