I know the documentation calls out that if an access profile or an entitlement is revoked from a role, it isn’t revoked from people who already got the role.
I always wondered why this was the case. Adds are allowed to propagate and go through but not revokes. Why? I know IdentityIQ let both adds and removes propagate to existing users, so just curious why this was a design choice for IDN.
Thanks for bringing up this. Indeed, it is interesting scenario and wish it would work just like IIQ.
I guess the reason is, IDN doesn’t know how a specific access is granted to the user. Does that access assigned to the user because of a Role or Access Profile or Entitlement or is it assigned at target system. Maybe that’s why.
Since they have documented it as well, can we consider it as a limitation for now. Hope the SP developers will develop this in future.
However, we can propose an idea.
Thanks
Krish
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.