I have a role setup that uses a role membership rule defined as anyone in a specific AD group should be a member. Along with that, I created the two system generated rules to update the role membership when there are new AD group members or remove membership when a user is no longer a part of the AD group.
This is all working fine, but I can't figure out how to have the system create a change request for the role defined entitlements (in this case, Aveksa entitlements).
I was able to create a rule that provisions the entitlements, but there doesn't appear to be a rule to remove entitlements from users when they lose membership.
I am thinking that the "generate indirect entitlements" checkbox on the assigned Request Workflow may be what I need to look into, however, since you can only assign one Request Workflow for Rule Violation, it would mean ALL my rules would generate indirect entitlements.
Is there a blueprint for creating an automated, self managed role that will perform the following actions:
- Add users to the role when detected, based on membership
- Add the entitlements defined by the role to the user upon new membership
- Remove users from the role when they no longer match the membership rule
- Revoke role defined entitlements when the user is removed from the role
*Note - I do not want a rule that just revokes the role defined entitlements for ANY user that doesn't match the membership rule. The only ones I want to impact are those impacted by a corresponding role membership removal. I might have other users that require those entitlements even though they are not in the role