At one of our latest projects we implemented RABC and are using Rapid Setup to assign the Rapid Setup Birthright roles. These roles have assignment rules based on the department and job function.
Now we added a few more applications to IdentityIQ and also needed to create new Rapid Setup Birthright roles. However these new roles are not assigned to the identities.
The Rapid Setup documentation states the Rapid Setup Birthright roles are only assigned during a Joiner or Mover event.
Is there a way to re-evaluate the Rapid Setup Birthright roles manually (or automatically) using a task or rule without generation mover events for all identities?
(I am tempting to uncheck the ‘No automatic assignment with rule’-option for the Rapid Setup Birthright roles, so the assignment is updated during a Identity Refresh task with option ‘Refresh assigned, detected roles and promote additional entitlements’ enabled.)
As per my understanding Rapid Setup is Event-based trigger. Hence the Rapid Setup Birthright roles will be added during a Joiner or Leaver event. I can think of couple of ways to trigger the events.
An Identity will be triggered for Rapid Setup Birthright Role when the following is present in identity cube. <entry key="rapidSetupProcessingState" value="needed"/>
After processing of the identity it will change to the following. <entry key="rapidSetupProcessingState" value="processed"/>
One way, I can think of is to update rapidSetupProcessingState attribute using a Customization Rule.
The variables for this are available in the Identity object
Note: Make sure to change the Rapid Setup Joiner workflow with a different workflow which will only add the roles and no other operations are required.
The second option would be to create custom mover process to revaluate the identities. You can define the mover filter to meet your requirements in Rapid Setup Configuration. Please find the below example
Verify the Rapid Setup Mover Workflow will only add the birthright roles or not. Triggering the aggregation task should trigger the Mover operation for the identities. Make sure to check Disable optimization of unchanged accounts Checkbox. This will ensure that all identities will be checked for processing.
Thanks Jarin. This is surely a solution we will test in our environment for future use.
Since we were under some pressure to get the BirthRight Roles working, we continued with the ‘No automatic assignment with rule’-option disabled. Now the roles are being assigned (following the assignment rules) with Identity Refresh task with only ‘Refresh assigned, detected roles and promote additional entitlements’ enabled.
