We've setup a test to implement a new policy.
Even if someone has been delegated the right to enable a disabled user object, we want that action to only complete if a separate VA is empty of values.
i.e. if 'edsvaSecurityOverrideReasonCode' multi-value, stored, directory string contains a value, then set edsvaSecurityOverride Boolean true -otherwise, set edsvaSecurityOverride Boolean false
In this test, I've exposed these values in the web under an admin-view only tab for testing. And this works reliably. In the real-world, these values will be set and removed systemically by delegated security folks, and the men in black.
So, I setup a policy to force the value of edsaAccountIsDisabled to true if the security override reason code contains a value.
This still shows the 'enable account' command in the far-right menu, but after selecting that menu item, despite the override kicking in to prevent change - I don't see the policy message indicating the action is prevented by security override.
We exploited a feature in ARS 6X that allowed us to call built-in javascript from the label field of an attribute. Dev obviously saw this as a bug :) ... and corrected the issue in subsequent releases.... but I'm looking for something like that to pop-up or otherwise alert the person attempting the enable the account in focus - that it is disabled for cause, and the user will need to jump some hoops to be made whole. Approval won't work here since the processes controlling the attribute will be systemic triggers based on HR state.
If you have some thoughts - or an alternative approach please share. Otherwise, made you think!.