Hi 1IM community
I'm looking for a good Approach to assign a set of AD entitlements dynamically, but on the other hand certain exceptions must be allowed when approved.
I thought to create a Business Role "Service Identity No Internnet Policy" which dynamically assigns some deny AD groups to all Identities of Identitytype "Service"
e.g. all Service Identities should initially get an AD Group "Deny-Internet-Access".
However, in some justifyable cases the Group rule should be overridden , but this must be approved by someone.
The Problem In the scenario with a dynamic Business Role ist that the AD Group cannot be removed from the Services ADSAccount because it is inhereited by a business rule.
And the Business Role itself is calculated dynamically, so it always becomes a member.
Not shure whats a good solution for this, I was thinink of a possibility
A requestable exception like "Service Identity No Internet Policy Exception" which overrides the Identity from being added to the Business Role "Service Identity No Internet Policy"
or
if possible just "initially order" a set of entitlements when the identity and account are created, with the option to "unrequest" the initially assigned entitlement.
Any thoughts an solution Approach would be greatly appreciated.
Best regards,
Ed
