When a user is terminated, we want to revoke their roles using a workflow.
Birthright (dynamic) roles that user doesn’t meet the membership criteria anymore, will auto be revoked.
The user still have access to the requestable roles as well those dynamic roles that user still meets the membership criteria. I have a workflow setup to revoke these roles.
After testing my workflow, it only revokes the requestable roles and ignores the dynamic roles, without throwing any error message. Is this an expected behaviour?
Does the workflow action (Manage Access) only revoke the requestable roles?
For dynamic role - this can be revoked only when a user doesn’t meet the membership criteria, or the user is removed from IDN. Am I correct?
In summary, even though the workflow action (Get Access) returns all roles for a user, but the workflow action (Manage Access) only revokes the requestable roles because IDN knows that user still meets the membership criteria and doesn’t attempt to revoke dynamic role(s).
Yes, Workflow action (Manage Access) only revokes requestable roles and Dynamic roles(assigned using membership criteria) are revoked when identity does not meet the membership criteria.
Your summary is correct, but you should get errors when trying to revoke dynamic roles via workflow.
When I tried removing dynamic roles using workflow action(Manage access), it gaves me the following error:
Until and Unless you have less than 100 roles assigned to an identity (including birthright and requestable), the workflow will work fine as Loop Input has a limit of 100 items.