AnsweredAssumed Answered

Provision Aveksa Entitlements based on role membership

Question asked by William May on Jul 2, 2018

I have a role setup that uses a role membership rule defined as anyone in a specific AD group should be a member. Along with that, I created the two system generated rules to update the role membership when there are new AD group members or remove membership when a user is no longer a part of the AD group.


This is all working fine, but I can't figure out how to have the system create a change request for the role defined entitlements (in this case, Aveksa entitlements).


I was able to create a rule that provisions the entitlements, but there doesn't appear to be a rule to remove entitlements from users when they lose membership.


I am thinking that the "generate indirect entitlements" checkbox on the assigned Request Workflow may be what I need to look into, however, since you can only assign one Request Workflow for Rule Violation, it would mean ALL my rules would generate indirect entitlements.


Is there a blueprint for creating an automated, self managed role that will perform the following actions:

  • Add users to the role when detected, based on membership
  • Add the entitlements defined by the role to the user upon new membership
  • Remove users from the role when they no longer match the membership rule
  • Revoke role defined entitlements when the user is removed from the role
    *Note - I do not want a rule that just revokes the role defined entitlements for ANY user that doesn't match the membership rule. The only ones I want to impact are those impacted by a corresponding role membership removal. I might have other users that require those entitlements even though they are not in the role




v7.0.1 P02