On an applicatie and directory level you have the the option to set Exclude Entire Application From Add Access And Suggestions to Yes.
based in the title of the option and the description on the help page you would expect that this would also count for role development. this is not the case. a role owner can still add entitlements from a application that has this option set to yes. .
you could argue that this can be prevented by setting a rule on the role set, but this rule is managed by de role set owner and can easily be removed.
I would expect the option Exclude Entire Application From Add Access And Suggestions to remove the ability to use the application in roles or have a second option to separately configure this.
Without this i have to manually update all roles sets with an entitlements rule with the risk that this rule is removed.
does anybody have the same issue?