Is there a version of ‘memberOf’ that removes entitlements from AD? I can add an entitlement during the ‘account update’ process, but I’d love to be able to remove one at the same time.
We are going to be hitting around 60,000 different Roles (if not more) which is going to tank performance.
Can’t use afterModify as we cannot scale the CPU to cope with the number of changes.
I’m thinking that it might have to be scheduled PS scripts on the IQ service, but even then thats going to have to examine 500,000 users each time
This could be done with an after modify or a PowerShell script that is scheduled. What would be the use case for this to trigger? That seems like an extremely large load to process each time.
Hi @bcariaga,
We’ve already gone down the afterModify rule because the entitlements have great naming conventions that suit variables. However, just trying to modify 10 at once caused the whole thing to fall over. I appreciate that this is in sandbox, but that’s not going to scale to PROD.
I think that we are definitely going to do a hybrid of Roles in Sailpoint and scheduled scripts in Powershell