Hello,
Please consider the following scenario and let me know if there is any solution for that
1- "User A" has "Account X" on "Target System 1"
2- "Account X" has "AppRole-Y" on "Target System 1"
3-Then, "User A" is added to a business role which contains "AppRole-Y" on "Target System 1" as well.
4-"User A" is later removed from business role.
In the request created, Remove "AppRole-Y" from "Account X" also present.
However, this approle was assigned to account X before he was added to business role so ideally he should have kept Approle-Y even if he is out of the business role.
How can we achieve that?
Hi Gokhan, this is actually by design to function this way. It does not matter how the entitlement was originally granted to the user. As long as it is now part of a Role he is member of, and is not part of any other Role is still member of, it will be removed by removing that Role.
One way you can get around this is by enabling approvals on indirect items, that way an approver can partially reject the indirect items being removed from the user in the change request workflow.