• State Suggested Answer
  • Replies 5 replies
  • Answers 4 answers
  • Subscribers 97 subscribers
  • Views 2605 views
  • Users 0 members are here
Options
Related

Exclude indirect assignment from system role in exceptional use cases

Wilke Jansoone
over 3 years ago

Hello,

OIM version: 8.1.4

I am facing a problem and I would appreciate advice from the community.

Context
=======
I have defined a system role that contains a number of AD Groups. As part of a joiner flow new employees receive this system role based on a dynamic business role, and thus the AD Group memberships are an indirect assignment.

Problem
=======
In some exceptional cases one of the AD Groups (unfortunately not always the same AD group) that is part of the automatically assigned system roles need to be revoked for a specific employee (e.g. internet access, external mail access, ...). Since this assignment is indirect I cannot remove it, or I have to remove the system role assignment which would also remove the remaining AD Groups.

Question
========
What would be the correct way to solve this problem?

Thank you in advance for your recommendations.

Regards,

Wilke

  • 0 over 3 years ago

    Hi,

    I don't think there is an easy way around this ..... if the entitlements are part of the dynamic assignment then they stay.  You'll have to re-design this so that the entitlements are assigned as birthrights so that they can later be revoked.

    HTH, Barry.

  • 0 over 3 years ago in reply to Barry Jackson

    Hello Barry,

    If the entitlements are assigned as birthright, isn't this the same concept as a dynamic role? I was thinking to create a process to assign the role and ensure it is a direct assignment. I guess this role assignment can then later be removed and replaced by another role with the adjusted entitlements. 

    Testing this out entails quite some modifications and therefore I wanted to have first some advice.

    Thank you for your support.

    Regards,

    Wilke

  • 0 over 3 years ago in reply to Wilke Jansoone

    Hi Wilke,

    Yes of course .... I meant assigned as birthrights by some mechanism you design .... not using the OOB birthrights app role.

    So as you say you'll have to come up with a way of assigning the entitlements if you want to be able to remove them individually.

    Perhaps create an IT Shop product that has all the entitlements as dependent products?

    Auto-create an order for the main product which generates orders for the sub-products.

    You could then abort singly the sub orders.

    HTH, Barry.

  • 0 over 3 years ago

    You should be able to use Group/ESet exclustions for this (ADSGroupExclude or ESetExcludesESet).

    For all Groups that might get excluded create an extra pair of ESets, a "GroupEset" and a "RemoveESet". Configure the RemoveESet to exclude the GroupEset, assign the groupEset to your Main SystemRole (or Business Role) instead of the group directly.
    For the identity that should be excluded, also assign the "RemoveESet". That should suppress the assignment of the ADGroup.

    You can do the exclusion on the AD-Group level instead of ESet. But then you need that extra removeGroup in AD itself. But it might be feasible if there is some ADGroup for it already.

    PS: I would like some condition on the BaseTree/ESet assignment tables for conditional inheritance. That would solve many similar usecases. But still waiting....