Skip to Content

Remove Direct assigned privileges whenever user attributes like cost center and position changes?

Dear Experts,

Currently roles are being assigned to users via dynamic groups and DG's has been created on filters like cost center, employee type and position. whenever any of these attributes changes the previous roles are being removed and new roles are being assigned. During initial load few privileges are assigned to user as direct assignments and idm business roles are assigned via dynamic groups.

Issue: Now whenever users position or cost center changes, roles are being removed vy recalculating dynamic groups once in a day, but how to remove the direct assigned privileges rather a manual clean up.

Available solutions:

Solution 1:

create an process and link it as modify even to cost center and position attribute which calculates the directly assigned privileges and removes them. If i link the same process as an event task for position and cost center attributes, if both the attributes get modified then the same task would be triggered twice.

Is there any possibility to trigger this tasks once?

Solution 2:

Mass clean up of the direct assigned privileges, which gonna consume a lot of time and customer doesn't want this solution as there would delay in creating the roles.

If there is any another solution please do let me know

Thanks in Advance



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Apr 11, 2018 at 07:55 AM

    Hello Deva,

    normally costcenter and position are linked as far as I know, aren't they?

    I think position would be the content that is changed more often. So maybe just link the delete task to the position attribute and after that trigger another tasks that calculates the new direct assignments? You just remove all direct assignments and after that assign them again on the base of the new costcenter/position.




    Add comment
    10|10000 characters needed characters exceeded

  • Apr 10, 2018 at 12:50 PM

    Option 1 makes the most sense to me, Deva. I prefer that model to Dynamic Groups. I don't care for DG's and the performance hits that they create.

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 13, 2018 at 12:08 PM

    A third option would be a maintenance job, who is triggered in a period of time (every hour/day....).

    There you could check for example the modifytime at both user attributes (costcenter/position) and react on it with deprovisioning directly assigned privileges. Also checking the old values would be possible.

    This solution has the disadvantage that deprovisioning the directly assigned privileges would not trigger live, like it's done at event tasks.

    Once I was searching the same solution you need at the moment -> an individual configuration of the event tasks.

    Event tasks are really a great tool, but you have to use it carefully, otherwise your job log could explode in future because every attribute modification triggers a process. Like a domino effect one trigger, will trigger another one. We had this case once.

    If there is a possibility to configure event tasks more specifically, I would be very interested in it.

    Add comment
    10|10000 characters needed characters exceeded