I know the documentation calls out that if an access profile or an entitlement is revoked from a role, it isn’t revoked from people who already got the role.
I always wondered why this was the case. Adds are allowed to propagate and go through but not revokes. Why? I know IdentityIQ let both adds and removes propagate to existing users, so just curious why this was a design choice for IDN.
Thanks for bringing up this. Indeed, it is interesting scenario and wish it would work just like IIQ.
I guess the reason is, IDN doesn’t know how a specific access is granted to the user. Does that access assigned to the user because of a Role or Access Profile or Entitlement or is it assigned at target system. Maybe that’s why.
Since they have documented it as well, can we consider it as a limitation for now. Hope the SP developers will develop this in future.
However, we can propose an idea.
Thanks
Krish