If we delete a business role, we can do it even if there are still people and rights assigned on it, for other objects we cannot delete the object until there are no more references on it.
I can't find in the manual about roles a section that describes the deletion/removal of roles in Identity Manager.
The fact is that for roles you delete, the rights and persons are still assigned to the role, but the rights are no longer effective. In the past this was not a big issue, because the roles was deleted permanently after 30 days.
Now we have changed the life cycle of roles to keep them as marked for deletion for at least 2 years. This because in this way are able to retrieve longer the historical memberships of deleted roles in the manager interface.
With this new situation we thinking about potential problems in reports and other places in the system when deleted (marked for deletion) roles are still available with the assignments of person and entitlements.
One option we are thinking about is to
a) automatically remove the persons and rights when deleting (we could still find the role ans retrieve the historical memberships).
b) We develop a process to delete the assignment of the roles in stages: Example:
- Org deleted
- After 30 days -> All rights and persons are removed from the role
- After 2 years -> role is finally deleted from the system
Why this default that rights and roles stay on the role when it is deleted, why does One Identity Manager not prevent deletion until all rights and roles are removed?
Are there other considerations?
