ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only on April 19, 8am Pacific as the migration begins.Read more for important details.

Auto fulfillment Business Role membership

Idea ID 2866134

Auto fulfillment Business Role membership

When doing a “Business Role Membership Review” and the decision is to revoke membership, a business role fulfillment request is generated and shows in fulfiller's manual queue.

But there is no way to automate this fulfillment they must be manually removed from the Role. Looking for a way to automate Business Role fulfillment.

5 Comments
Commodore
Commodore

I believe if you have automatic fulfillment assigned to that particular role/application it should trigger the respective role/applications fulfillment method. 

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Thanks Nihii,

But I do not see anyplace to setup Role fulfillment?Am I missing something?

If the user is removed from the Business Role the application fulfillment kicks in and works as expected. But I have not found a way to automate the Role fulfillment?

 

 

Commodore
Commodore

Aren't business role assignments based on attributes of the user?   If someone shouldn't be in a business role, shouldn't one of their attributes change?   How are you assigning business role membership?

--Jim

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi Jim,

In this case the users are assigned directly to the Business Role by "Included Users."
I do know there is an option to use "Membership expression" for Business Role membership. But either way I am not sure how it is possible to do automatic fulfillment?

When doing a business role membership review and the reviewers decision is to remove the users from the business role, I am not seeing a way to configure fulfillment. My thought would be the fulfillment could be configured to either remove the directly assigned user or change an attribute that results in the Membership expression match.

 

-Thanks, Tony

 

Commodore
Commodore

I think I undertand what you are trying to get at.   I look at business roles as a policy type  of object.  If the identity has certain attributes that makes the policy apply, then they get the authorizations.  They make the reviews easier, when certain circumstances outside of IG occur (when an identity attribute fits a criteria).   

There is a "remove business role from user" fulfillment type, but I'm not sure how that would be used - I'm not aware of any of the out of box fulfillers that can perform that fulfillment type.   I'm guessing the business role review targets a user object (not an account, since business roles are only held by identities/users), and on its revocation, this fulfilment type would go to one of the fulfillers assigned on the catalog update setup tab in fulfillment configuration?  ?   I'm not sure where that remove business role from user type would expose itself, or who would handle it for the identity source.

Here is a thought though - Since you want to assign/revoke the business role to/from users, what if you made it a group in your identity source, and you collected that group (as a group) on the identity collector.  Then you could make business role membership use the criteria of that group membership.    Separately, but in parallel, you might-could collect the same group as a permission in an application collector.  When a review of that permission sees a revoke happen, the fulfiller should be able to remove the group membership.  Then on next identity collection, the user isn't in the group, and the business role membership should be removed.

I don't think that's how any of that is intended to work, but it just might, if you are set on using a business role.

--Jim

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.