I've setup a Role Data Collector (RDC) that contains an inventory of all roles, owners, members, and entitlements. I've now setup a rule for missing entitlements. Basically, if anyone is added to a role (managed by this RDC), then add them to the entitlements associated with that role. That's the easy part.
I was curious if anyone had worked out a solution to revoke entitlements when users are removed from this role. The RDC updates members (add/removes) based on the back-end database I'm collecting from. I don't know of a straight forward method of revoking access to users who were recently in the role (and no longer a member), but still retain entitlements associated with that role.
I'm thinking that RSA hasn't thought of this as a possibility, perhaps they're assuming we're simply relying on user access reviews to be generated when role memberships change or when a user attribute changes.
Anyone have any experience using role collectors in this fashion?