I've got a question regarding "conflicting" entitlement rules. I'm trying to figure out how to handle the following scenario the best way.
You have two different Business Roles that both have a technical role as entitlement.
These technical roles have two entitlements and one is the same and has a group entitlement in the Active Directory.
i.e. something like this:
(simplified artistically awesome pic)
The business roles are assigned depending on your organizational belonging, if you move from one to the other, you should lose the BR1 entitlements and get the BR2.
This means that I get two different CR:
* CR1 for removing the BR1
* CR2 for adding BR2
The problem is that CR1 will now never finish, it will be stuck in a Wait for Verification state.
Ent2 will be removed by CR1 and then added by CR2, all this prior to account collection and verification and now we have a CR that will never finish.
This doesn't happen a lot, around 5-10 times/month, but at the moment, it does require manual verification and that takes time.
Any ideas how to solve this?