In AD, we have users who may have 1-4 admin accounts in addition to their standard account. To be sure the admin accounts are processed when the user is terminated, we've mapped all AD accounts to the primary identity using a field in the AD account.
Now we are attempting to set up Roles in our organization. It appears that the Role identifies the identity of the user, but rather than assign AD group entitlements to the standard AD account that matches the identity, it attempts to assign the entitlements to all of the user's AD accounts that are mapped to the identity.
What is the best way to be sure the role applies to the proper AD account? I've attempted to add criteria to the membership rule, but these only appear to look at the fields in the identity and don't look at the AD accounts themselves. I'd consider updating the AFX workflow to exclude non-standard accounts, but I want to have the ability to create roles for admin accounts as well someday. I've considered creating separate collectors and identities for the admin accounts, but would we lose the mapping we have for terminations? If we are able to map the admin identities to the standard identities, will we be right back to this same issue where all of the AD accounts associated with one identity will be given the entitlements?