This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle 7.2 Enablement

ShlomoKatz
Valued Contributor
Valued Contributor
‎2020-05-08 03:15 PM

Form to remove user from group while in role

Jump to solution

I have a need to use a form to add a user to an AD group and remove from another group at the same time.

 

The challenge is: the group being removed, is granted from a role - so the form is not allowing "remove" function.

 

This is just a timing issue until the role rules are run.

 

Any ideas?

0 Likes
Reply
1 Solution

Accepted Solutions
MHelmy
Moderator Moderator
Moderator
‎2020-05-30 10:04 AM

Jump to solution

That is not possible. You will not be able to remove indirect entitlements from a form or from the User's access tab.

 

What is the use case here? Also if the entitlement is part of a to-be-removed Role then why do you not remove the Role Entitlements also as part of the same request?

 

You can make the application automatically generate indirect entitlement changes by checking the checkbox "Generate Indirect Entitlements” in the Request Workflow used. That way when you remove a user from a Role, the change request will also try to remove the Role Entitlements (Group in this case) from that user, given that those entitlements are not part of any other Role the user still has.

View solution in original post

0 Likes
Reply
2 Replies
MHelmy
Moderator Moderator
Moderator
‎2020-05-30 10:04 AM

Jump to solution

That is not possible. You will not be able to remove indirect entitlements from a form or from the User's access tab.

 

What is the use case here? Also if the entitlement is part of a to-be-removed Role then why do you not remove the Role Entitlements also as part of the same request?

 

You can make the application automatically generate indirect entitlement changes by checking the checkbox "Generate Indirect Entitlements” in the Request Workflow used. That way when you remove a user from a Role, the change request will also try to remove the Role Entitlements (Group in this case) from that user, given that those entitlements are not part of any other Role the user still has.

0 Likes
Reply
AhmedNofal
Moderator Moderator
Moderator
In response to MHelmy
‎2020-07-22 04:47 PM

Jump to solution

As Mostafa stated, the role layer has to be removed first in order for the group to be able to be removed accordingly. If you removed the role from the user and had the "include indirect entitlements" option checked, the role only will be removed. If you check the user's access page right after that, you will find the group directly entitled to the user where it will be enabled for removal.

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.