Hi Colin,
Two main use cases:
- Reworking access which is allocated to user’s everyday accounts to instead use privileged accounts - in our environment they are managed as different sources on the same identity.
- Implementation of temporary privilege escalation (TPE) process and replacing “standing permissions” with “requester groups” on our TPE source which allow for access to be escalated.
The reason creating a new access profile doesn’t work in this instance is because there are many things referencing the old access profile - roles, apps, or downstream systems (e.g., our ServiceNow request forms). Anything which references those existing access profiles needs to be updated across a number of different systems to ensure we don’t end up with orphan objects all over the place and access profiles disappearing from roles (or worse, roles keeping the access which is only ever supposed to be temporarily assigned). This turns a 2 minute automated job into a multi-hour manual slog.