Hey Folks, We are testing a scenario where we have nested business role hierarchies that inherit entitlements at various levels. This seems to be working ok, but I have been asked to develop a use case where a person can request a role via the ITShop that may have an account definition that would violate a policy of ours. Ill break it down (Same target system with different system roles in this instance): User has a primary business role assigned (BusRole A) and has the following System Role A Elevated System Account A (AD Account definition) User wants to request another business role (BusRole B) which has the following System Role B (AD Account definition) Elevated System Account B (AD Account definition) I have created a compliance rule that looks at a users business role memberships (it pulls both direct and indirect), and creates a violation as follows: The Employee has at least one role or organizational assignment of type: Business Roles, which meets at least one of the following conditions: System Role is "System Role A" AND The Employee has at least one role or organizational assignment of type: Business Roles, which meets at least one of the following conditions: System Role is "System Role B" So the violation is triggered just as I want, but when the exception approver denies and goes to resolve the violation, it seems to not like that the Role that I want to remove is an indirect assignment. I get the following: BusRole A is directly assigned and BusRole B is indirect. If I want to remove BusRole B, then I get the error above. I recall reading something about primary assignments being supported, but I can't find it in the documentation at the moment. There are a handful of requirements that look like this, and I am scratching my head with regards to the best way to handle this. Am I thinking about this the wrong way?

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Identity Audit Rule based on entitlements assigned to requestable roles

Hey Folks,

We are testing a scenario where we have nested business role hierarchies that inherit entitlements at various levels. This seems to be working ok, but I have been asked to develop a use case where a person can request a role via the ITShop that may have an account definition that would violate a policy of ours.

Ill break it down (Same target system with different system roles in this instance):

User has a primary business role assigned (BusRole A) and has the following
- System Role A
  - Elevated System Account A (AD Account definition)
User wants to request another business role (BusRole B) which has the following
- System Role B (AD Account definition)
  - Elevated System Account B (AD Account definition)

I have created a compliance rule that looks at a users business role memberships (it pulls both direct and indirect), and creates a violation as follows:

The Employee has at least one role or organizational assignment
- of type: Business Roles, which meets at least one of the following conditions:
  - System Role is "System Role A"

AND

The Employee has at least one role or organizational assignment
- of type: Business Roles, which meets at least one of the following conditions:
  - System Role is "System Role B"

So the violation is triggered just as I want, but when the exception approver denies and goes to resolve the violation, it seems to not like that the Role that I want to remove is an indirect assignment.

I get the following:

BusRole A is directly assigned and BusRole B is indirect. If I want to remove BusRole B, then I get the error above. I recall reading something about primary assignments being supported, but I can't find it in the documentation at the moment.

There are a handful of requirements that look like this, and I am scratching my head with regards to the best way to handle this. Am I thinking about this the wrong way?