I have 2 roles which share a common AD entitlement in them and i see if i revoke role 1 its removing the entitlement from user profile even though user has it from role 2
That shouldn't happen, the system will calculate what needs to be removed (or added if you add a role) based on what the user has and how he go that. So if you have role 1 with entitlement A and a role 2 with entitlement A and the user has both roles and you then remove role 1 the user should keep entitlement A because he still has role 2.
Are you sure the user has both roles and that these are roles defined in G&L and not application roles
Thanks for getting back to me. yes, there are defined in G&L and are not application roles. let me better explain this...
1) Placed request to revoke role 1 which has entitlement A
2) remove request generated in CR from removing entitlement A
3) with in 10 minutes I placed another request for adding role 2 that has entitlement A
4) I don't see ADD request in CR. since collections didn't happen by that time I though entitlement A will not be removed from user profile but surprisingly it did
from above explanation an you tell why the entitlement got removed ? let me know if you need more information
And that is working as designed. Because you haven't run the collector again the system still thinks that user has the entitlement and therefor it will not be added. You need to run the collector before adding role 2. If you don't you're authorizations will get out of sync, like you've just explained in your use case
So if I understand you correctly, you mean I need to wait for collection to happen after placing revoke request for role 1 and once the collections are complete then I need to place ADD request for Role 2 ??
Another solution for these situations is to use the "Role Missing Entitlements” rule to add those missing role entitlements to members affected by this case.
Retrieving data ...