Slightly vague question title (apologies) but essentially the scenario is as follows:
- User has an account A for application X, with multiple associated entitlements (E1, E2, E3, etc.)
- The user's Access page will list the account AND the entitlements, all with Remove buttons next to them
- Line Manager comes in and selects to remove the account (A) and SOME of the associated entitlements (E2 & E3)
- This leaves E1 (at least) as NOT removed
This doesn't make sense - if you want to remove the account then surely ALL the entitlements should be removed as well; if you want to remove only SOME of the entitlements then you wouldn't want the account to be removed.
I don't believe IGL makes any attempt to detect, prevent or even warn the end user about this apparent inconsistency, so how do people get round it?
What options/approaches has anyone adopted to try and make sense of this kind of scenario?
The out-of-the-box User access tab changes are quite simple and there isn't really any way to restrict what you can or cannot do.
Usually I've seem most people disable the ability to request access changes directly from the User's access tab (Requests > Configuration > Settings > "Allow access changes on a user's detail Access tab”), then create specific Request forms to allow only the actions that you want.