Hi All,
I have a requirement to enable Account based role request via Request form . Currently Role request will handle in user level . But our requirement is to have the entitlement part of Roles to be tagged to selected account and it have to trigger account based changes for the addition of indirect entitlements in a role instead of user changes. Similar to Account based Access Request .
we are displaying account using web service is there a way to get account selection enabled and calculated by system like account selection in normal access request using application /directory forms.
Any suggestions on how to overcome.
I understand what you want to achieve but that is against the definition of Roles in RSA IGL.
For us, a Role is a collection of cross-application Entitlements that is assigned on the user level. You cannot bind assign a Role to an account because a Role can contain access from different applications outside the scope of a certain application account.
At the moment, Role requests will attempt to add the requested access to all accounts the user has within the entitlement's application. There is no way to change that behaviour, but approval workflows can used to reject adding acc
We've seen this cause issues when certain users have more than one account in a specific application (for example: personal account vs admin/privileged account). A common solution in that case is to separate each set of accounts in a different logical application so that Role, but it probably needs a more in depth discussion with RSA PS to see how your environment is setup and give you specific advise.