I have an application with Active Directory as the source. I have three entitlements that belong to the application. Each entitlement has its own access profile. The requirement is that a user can have one and only one entitlement at a time. So when a new entitlement is requested the old one is removed.
Access Profile A
Access Profile B
Access Profile C
If the user has A, they cannot have B or C. If they request B, A is removed and B is provisioned.
How do I enforce the one and only one entitlement requirement.
Hi Chris, we implemented this requirement using the workflow using “Access Request Submitted or Access Request Approved” triggers, let me know if you need any help with the implementation
Workflow is the best option to get it executed. We have implemented this using an Identity Attribute in identity profile and based on identity attribute change event in workflows, you can trigger the removal of access profile/entitlement request using ISC APIs.
Also, the solution provided by @smukhija is also another way to achieve that.