Based on the first point below, we see additional Access Profiles on a user’s cube. The issue we see is we have Access Profiles that are subsets of each other but are not always related.
A user (User A) could have one role that gives them basic access with Entitlement 1, 2, 3. Then another user (User B) has access to Entitlement 1, 2, 3, 4, 5.
When certifying this user, the reviewer will see both Access Profiles even if the naming is unrelated to their Role.
Is it better practice to have 2 Access Profiles in this scenario (1, 2, 3 | 4, 5) then User A only has the AP with 1, 2, 3. Then User B will also have AP 1, 2, 3 but in addition will have an AP with just 4, 5.
I think that is a logical approach. Have AP1 contain entitlements 1, 2, and 3, and have AP2 contain 4 and 5. Try to assign each entitlement to only one access profile, and then group access profiles into logical roles. That would be the best way to avoid the caveats mentioned in the article.
When using Applications as shown in attached file and the manager removes Access profile A that have overlapping entitlements with Access Profile B both applications are removed from the user. If you do the same thing with roles example only the deleted Role are deleted. Should access profiles with overlapping entitlements always use to Role approach or is it something that i missconfigured on the Aplication approach?
