Hello,

IDM 4.7.1.1 AE, both User Application and Engine.

I have an ongoing issue where it appears that the Roles and Resources Service Driver is misinterpreting Role assignments. The scenario I will describe worked with IDM 4.0.2.

The scenario is thus. Let's take a simple example of a User, but I believe this will apply to many Users.

We have a User who has been assigned an I.T. Role, and the I.T. Role has a Permission Role assigned. The Permission Role, in turn. has a Resource and an associated Entitlement.

The 2 tests I ran have 3 steps each.

1.1 - Add User to Group
1.2 - Add User to Role
1.3 - Remove User from Group

2.1 - Add User to Role
2.2 - Add User to Group
2.3 - Remove User from Role

The Group has an associated I.T. Role (nrfAssociatedRoles) which is setup, at the Resource and Entitlement level, exactly the same as the directly assigned Role.

What I am finding is that when the User is removed from the Role (Test 1) or Removed from the Group (Test 2), the Resource (and therefore the entitlement) are also removed.

For Test 1, I would expect the User to remain with the Resource and Entitlement because the User is still part of the Role that has the Resource and Entitlement linked to the Permission Role.
For Test 2, I would expect the User to remain with the Resource and Entitlement because the User is still part of the Group that has the Resource and Entitlement linked to the Permission Role which is assigned due to the nrfAssignedRoles pointing to the I.T. Role.

The screenshots of the tests are https://owncloud.belkast.com/index.php/s/1PFGupGR4VcR96u
Password is MicroFocus

Compare 1.1 - Add User to Group.png with 2.3 - Remove User from Role.png.

The attributes should be the same, because the end result is that the User is a member of the BWISE Group.

But, even though the nrfGroupRoles, nrfInheritedRoles, and nrfMemberOf attributes are all the same in 3.2 as they are in 1.1, the Resource has been taken off.

Thanks for any help or insight in advance!

-K