AnsweredAssumed Answered

How to Exclude an AppRole or Account from AppRole from the Leaver Rule?

Question asked by Shlomo Katz on Dec 16, 2019
Latest reply on Apr 20, 2020 by Ahmed Nofal

Environment: 7.1.1 P3


RSA Supplied DB





What is the best method to exclude an AppRole or Account from AppRole from the Leaver Rule?

I cannot seem to get the right formula with <> or tell the difference between "has application role" and "not has application role".


Use Case - one of many:

I have an entitlement collector that collects from Active Directory groups in conjunction with an application database.

  • Primary account collection is from the Application database.
  • As part of the "RESOURCE > Application> Entitlement" , there is a second entitlement collector for a Active Directory group.
  • Since it is an Active Directory group, the group is removed when the account is disabled under the Active Directory Leaver..
  • However, a manual change request is created to remove the user from the Active Directory group with the error "AFX reports this item failed with code [300] and message: 'NoRowsChanged'". (This error makes sense as the Leaver Rule already removed the group)
  • It is using the AFX AD fulfillment.



thank you