We are testing a scenario where we have nested business role hierarchies that inherit entitlements at various levels. This seems to be working ok, but I have been asked to develop a use case where a person can request a role via the ITShop that may have an account definition that would violate a policy of ours.
Ill break it down (Same target system with different system roles in this instance):
I have created a compliance rule that looks at a users business role memberships (it pulls both direct and indirect), and creates a violation as follows:
So the violation is triggered just as I want, but when the exception approver denies and goes to resolve the violation, it seems to not like that the Role that I want to remove is an indirect assignment. I get the following:
BusRole A is directly assigned and BusRole B is indirect. If I want to remove BusRole B, then I get the error above. I recall reading something about primary assignments being supported, but I can't find it in the documentation at the moment.
There are a handful of requirements that look like this, and I am scratching my head with regards to the best way to handle this. Am I thinking about this the wrong way?