Share all details related to your problem, including any error messages you may have received.
Issue : We are having IT role with different name but same entitlement, so when we assign single role another role also getting detected. We want to overcome the issue.
We are using one Webservice connector based application, where user may have same entitlements, but different in access levels like (Read-Only, Read-Write).
When we assigned one IT role another role also getting detected. But different in access levels at target system side.
IT ROLE : DEPARTMENT_READONLY ( Access level : Read_Only in target system side. User can have only read_only access even though holding same entitlements.)
Entitlements : TEST1, TEST2
IT ROLE : DEPARTMENT_WRITE ( Access level : Read_Write in target system side. User can have only read_write access even though holding same entitlements.)
Entitlements : TEST, WRITE
Note : We donβt have access levels as a entitlements in target system side.
Can you please share the role and entitlement details
Also does the IT role has mapping to entitlement if so does both the IT roles have any common entitlement ?
Share more details on role and entitlement object.
Ideally you should ask the application team to have a different entitlement if there is a differentiation between two of the roles and entitlements then it would be good for mapping and you will not get into this issue.
How does the application know what access is provided to the user when a user is raising any one of the role from IIQ? Since both roles are providing the same entitlement what access user is receiving in target application? Is it Read access or Read/Write Access?
Which connector is used for this application integration?
We are using web service connector to integrate the application.
When user raise the request for any role (TEST_Read or TEST_Write) based on role name, we can send the access levels in code. but what we are expecting is only one role should detect to the user.
I would suggest creating a new entitlement attribute which will be a considered as the entitlement attribute. And the value can be a combination of entitlement value and access level by using an underscore or hyphen.
For example:
The new attribute is Entitlement_AccessLevel
If the values are Entitlement = DepartmentEntitlement and Access Level = Read. Then,
I have created the Entitlement_AccessLevel value by combining entitlement and access level with hyphen.
This we will have 2 different entitlements for each IT Role. During provisioning operation you can just split the Entitlement_AccessLevel value to pass the appropriate values.
And similarly during aggregation, you can use customization rule which will combine the Entitlement and Access Level to create Entitlement_AccessLevel