I found this: https://community.rsa.com/message/946614 when I did a search. It is similar to the issue we are encountering but I wanted to bring it up in case there is another solution someone has come up with.
1. We are using Roles to provision Entitlements, including Active Directory Groups.
2. Some of the Role Members have multiple accounts, including those that are "Privileged" aka "P-accounts" that should only be used for certain access. During the normal user-request experience, IGL presents a listing of accounts which the requestor can choose from.
1. When a Role Owner adds a user to the Role through the Membership tab, there is no listing of accounts to choose from. IGL assumes that all accounts in the user's profile needs the access in the Role and provisions access to them.
This is not what is desired, and is another example of divergent behavior when it comes to Role based access.
1. How can we remove the access from the P-accounts that already has it? Since a normal user-request to remove the access doesn't allow for removal of Role based access, it's not even an option. The only solution I can think is to manually remove the Accounts from the Groups directly in AD, which is tedious to say the least, especially with dozens of Groups and Role Members.
2. How can we prevent Role access from being provisioned to these "P-accounts"?
Any and all help is greatly appreciated.