AnsweredAssumed Answered

Automation with Role Data Collectors - Revoking Access via Rules

Question asked by Sasha Browning on Sep 8, 2015
Latest reply on Apr 27, 2016 by Luis Lenin Guerrero

All,

 

I've setup a Role Data Collector (RDC) that contains an inventory of all roles, owners, members, and entitlements.  I've now setup a rule for missing entitlements.  Basically, if anyone is added to a role (managed by this RDC), then add them to the entitlements associated with that role.  That's the easy part.

 

I was curious if anyone had worked out a solution to revoke entitlements when users are removed from this role.  The RDC updates members (add/removes) based on the back-end database I'm collecting from.  I don't know of a straight forward method of revoking access to users who were recently in the role (and no longer a member), but still retain entitlements associated with that role.

 

I'm thinking that RSA hasn't thought of this as a possibility, perhaps they're assuming we're simply relying on user access reviews to be generated when role memberships change or when a user attribute changes.

 

Anyone have any experience using role collectors in this fashion?

 

-Thanks

Outcomes