Is it possible to have IG&L to NOT grant any apps roles raised earlier until day 1 of joining of a new joiner? Even if requester requested earlier (days prior start date of new joiner)? This is so that all roles that have been requested on earlier date will apply only on the start date of the user.
This is to minimize the risk of account being misused by anyone or supervisor who knows the password.
I asked RSA this through a case I submitted to them and this is the only answer they gave: "it's possible to implement by using custom attribute and workflow customization." However, they can't provide me further details on how it's done. Has anyone here had the same concern in their implementation? I'd appreciate any feedback. Our vendor says it cannot be done, but RSA says it can. So we are in uncertain about this.
So let me get the use case correct. You want to a requester to be able to request roles for users that haven't started yet. Those requests will go through approval but they will only be fulfilled once the start date of that user has passed?
If that is the use case then you need to know the start date of the users from your HR source. You can have a requestor request roles for users, approvers can approve these requests.
In your fulfilment workflow you can add a decision node that looks at the start date of the user, if the start date of the user is in the future you can have a delay node to wait until the start date has passed and only then continue with the fulfilment
Edwin