Slightly vague question title (apologies) but essentially the scenario is as follows:
- User has an account A for application X, with multiple associated entitlements (E1, E2, E3, etc.)
- The user's Access page will list the account AND the entitlements, all with Remove buttons next to them
- Line Manager comes in and selects to remove the account (A) and SOME of the associated entitlements (E2 & E3)
- This leaves E1 (at least) as NOT removed
This doesn't make sense - if you want to remove the account then surely ALL the entitlements should be removed as well; if you want to remove only SOME of the entitlements then you wouldn't want the account to be removed.
I don't believe IGL makes any attempt to detect, prevent or even warn the end user about this apparent inconsistency, so how do people get round it?
What options/approaches has anyone adopted to try and make sense of this kind of scenario?