Conditional Assignment - How to prevent an ADS group assignment or any resource from being inherited from an Businness role when the user's certification status is new

The identities do have a flag to prevent the inheritance of entitlements to the identities. It is called "No inheritance" (IsNoInherite@Person).

The flag is normally controlled by setting the flag "Permanently deactivated" (IsInActive@Person) if the configuration parameter QERAttestationUserApproval is enabled.

So, either set this flag or devise your logic to control the inheritance of the identity.

Hi Markus,

Thanks for your answer. I checked the parameters QER\Attestation\User Approval and QER\Attestation\User Approval\Initial ApprovalState. Both are enabled. when a new identity is created by a manager. The ApprovalState@Person is set to '1', but IsNoInherite@Person and IsInActive@Person are both set to 'false'.

The template for IsNoInherite@Person is:

If Connection.GetConfigParm("QER\Attestation\UserApproval")="1" _
AndAlso $ApprovalState:Int$ <> $ApprovalState[o]:Int$ Then
Value = $IsInActive:Bool$
End If

and overwrite is enabled.

Do you suggest changing this template? Also, could you let me know the process name or script that assigns resources linked to a business role?

Regards,

Yes, I suggest changing the template or using some code in the OnSavingScript.

The DB Queue Processor assigns the resources linked to a business role.

Yes, I suggest changing the template or using some code in the OnSavingScript.

The DB Queue Processor assigns the resources linked to a business role.