IG: Deprovisioning of granted Permissions by Business Role modification

KScherbach · ‎2018-02-09

IG 3.0 seems not to provide a mechanism that causes deprovisioning of a granted permission that is deleted from a Business Role. There must be a way to achieve this. Sample:

- Business Role BR authorizes Permission P1 and P2 and is configured for automatic provisioning
- P1 and P2 are configured for automatic grant and revoke
- all BR members have been provisioned with P1 and P2

- now P2 shall be removed from BR
- whatever you do today (delete P2, set P2 validity end date) will not deprovision P2 from the BR
members

Removing a Permission or Role or nested Business Role from a Business Role should cause appropriate deprovisioning actions.

HugoH · ‎2018-02-21

It would be great to have this functionality but as an optional. I understand in some use cases, the permission should be removed from the user if removed from BR but in some situations, this action would not be the expected behavior.

KScherbach · ‎2018-03-05

I would expect that removing at least a permission that is marked "mandatory/ automatic grant and revoke" gets deprovisioned. You might change it to e.g. "mandatory/ no automatic grant and revoke" before removing it if you don't want that. Or add a dialogue asking how the permission should be handled.

IG: Deprovisioning of granted Permissions by Business Role modification

Idea ID 2779834

IG: Deprovisioning of granted Permissions by Business Role modification

List Review Definitions of Identity

business role membership process

Advanced Sorting in Review

Ability to create a copy of an existing Review Definition

Orphan Account Review - IGA to allow manual association of account to an user

SCIM Fulfiller / Collector

Searchable, sortable and tabbed display of approval items (my approvals)

Unable to do Partial Approvals for Access request

How to improve usability for Access Request Compare access