I'm currently evaluating RSA Identity G&L and when I compare two scenarios I followed, the result is unexpected.
I would appreciate if someone with more experience could confirm if this is a bug or intended behaviour.
I have an application configured both for account/app-role collection and AFX fulfillment.
I checked "Entitlements Require Account" so that assigning app-roles create an account.
In scenario #1: I collect existing accounts and app-roles, then I map them manually to users.
As a result, the account and app-roles are visible in the user details (user "Access" tab, where I can add more entitlements).
In scenario #2: I add one or several app-roles to a user with no prior account in this application, and launch the change request. After approval and fulfillment, the account is created by AFX and app-roles are also assigned in the target application. After account+entitlement collection, the fulfillment is verified and the change request complete.
In the user "Access" tab, the account becomes visible, but not app-roles. The app-roles are linked to the account but not to the user.
I find this result surprising: I would really expect entitlements added in this tab to become visible at the same location.
Does this look like a bug?
I'm using 7.0.1 P02.
It seems that what is required is sort of a "refresh" to the account user mapping.
Under the Accounts section (in application settings), I've removed the existing mapping (the account became orphan) and then assigned the account back to the user.
Following that action I can now see under the Access tab the relevant application role as well.
Not sure whether it's a bug or works as design.
If you don't get an answer here, consider opening a support ticket.
Consider using an alternative approach to account creation, for example: create a form type Create Account
It can look something like this:
The change request looks like this:
After the changes are provisioned and collected, the new account will appear as orphan account.
Here is the form configuration: