Is it possible to have IG&L to NOT grant any apps roles raised earlier until day 1 of joining of a new joiner? Even if requester requested earlier (days prior start date of new joiner)? This is so that all roles that have been requested on earlier date will apply only on the start date of the user.
This is to minimize the risk of account being misused by anyone or supervisor who knows the password.
I asked RSA this through a case I submitted to them and this is the only answer they gave: "it's possible to implement by using custom attribute and workflow customization." However, they can't provide me further details on how it's done. Has anyone here had the same concern in their implementation? I'd appreciate any feedback. Our vendor says it cannot be done, but RSA says it can. So we are in uncertain about this.