We have created a global role with entitlements and members as well. Some of the role entitlements are AD groups. The role members are usually system administrators who have normal and admin account as well in AD. When the role changes were applied a new CR was started. In the CR also normal and admin accounts were added to every groups (see picture below).
I would like to achieve that only the normal accounts were added to the AD groups. In other cases the requestor is asked to choose between accounts if a user has multiple. That would be the expected behavior in this case as well. Is there any best practice for this use-case?