Revoke Grant entitlements order
Y
Yunus Esenkaya
There is currently no way to order Revoke and Grant actions for the same person. As a result, when an account switches from one business rule to another, it is possible that the Grant action is executed first, followed by the Revoke action, which could cause the entitlement to be completely lost.
It would be helpful if, at the very least, actions could always be executed in the following order based on accounts: first Revokes, then Grants, and finally Updates. This would ensure that the actions produce the correct results.
R
Rick van den Dijssel
Hiya Yunus Esenkaya, thanks for this post! I have a few more questions for you:
- Can you provide specific examples or scenarios where the current order of actions has caused issues?
- Are there any specific conditions or exceptions where the current order of actions works as intended?
- How critical is this change to your daily operations or workflow?
Peter Versluis
Rick van den Dijssel
We are also experiencing this problem. We have several business rules running on similar targets. This is because sometimes we have to determine the login name by the AD network's login name and sometimes by email address. When someone then switches between the business rules due to circumstances, things often go wrong. One rule grand an account, the other revokes it.
R
Rick van den Dijssel
Peter Versluis Is it correct that you use two target systems in your use case?
Peter Versluis
Rick van den Dijssel Unfortunately, yes. This is because the same target system depends on the AD system in one situation and the other is not. This has also been discussed and sorted out with support, and we have no other solution for this so far.