1- We have created a business role and added 2 entitlements to it (Picture 1)
- Role Name : ROLE_ORACLE_MSVAS5
- Entitlement 1: OLAP_USER (App-role)
- Entitlement 2: CREATE VIEW (Granular Entitlement)
The important point here is "OLAP_USER", as an app-role, already contains the entitlement "CREATE VIEW".
You may ask why we added the granular entitlement to the role even though the entitlement is contained by the App-Role. The answer is; this is only a test and it enabled us to detect an issue with fulfillment functioning of VIA.
2- Next, We added a new user to the same role and committed it.
- The role has successfully been committed.
- The fulfillment has completed without any issue.
- We can see the user has acquired the entitlements that he gained via the assignment of business role
3- Finally, We removed the user from the same role.
- Among the change items of the request created, we observed duplicate "Remove" operation for "CREATE VIEW" entitlement. (Picture 2) Is this a bug?
Next we did another test where;
- We created another role and added only the app-role "OLAP_USER" to the role and one other user.
- Fulfillment completed successfully, when we created a request in order to remove User from the business.
- We only see the Remove operation for the "OLAP_USER" app-role item. No change item created for the sub-entitlement of the app-role.
What was wrong in the earlier case?