I tried to impement a model in which areas and profiles are 2 entitlement types, and implemented logic in code, so that if I first request and area, is saved in some user’s field. On account schema, I marked id_area as entitlement sigle valued, and profile as entitlement multi-valued.
Then all profiles requested next, will be saved in the user-area-profile table with that profile. For selecting another area, user has to revoke current area (does nothing on code) and request new area (saves new id_area in the user table row). So, following reuqested profiles are saved right, because it always selects the id_area from user table before inserting user-area-profile.
Problem is that users can have the same profile in different areas, for example they can be administrators of area1 and area5. In this case I found that IDN does not meet the requirement. Suppose I have requesed area1 and profile administrator, and then revoked area1 and requested area5. At this moment all works fine. Administrator profile still appears as selectable in the Request Center. In fact, requesting it gets the green box with “success, 1 request was submitted”. But after that, I received a failure mail notification (and request goes to fail state) without passing through java rule.
I asked support if there were some way to bypass this validation, and at least let the last request reach the code, but they told me that IDN does not allow to request the same entitlement more than one time (it makes sense, but I deal with this scenario in previous implementations with other tools).
So, I think that only remains the cartesian product solution, that is, select id_area || #
|| id_profile as ID, desc_area || #
|| desc_profile as DESC from areas, profiles
This solution works, as in the rule I received both areas and profiles separated with #, but results in 50k entitlements, making the Request Center complex to handle… (and perhaps auditing activities too).