I am looking to create compound rules for a set of resources. The first
criteria is that they match some rule (or need to belong to a group),
and the second is that they need to have gone through a normal
request/approval process or assigned on an adhoc basis to finally get
assigned the resource. I want to be able to define different criteria
for the 1st criteria depending upon the resource. The tricky part
seems to be to trigger the re-evaluation on change to the rule based
criteria. http://tinyurl.com/lc8hgvh gives some assistance, but I was
looking for collective wisdom if others have done this and if this is
the approach they have used. Or if people can give insight on why not
to create something like this and I will have to go back to the drawing

A few use cases ...
A person is a member of the finance group that they can request and be
assigned some rights/resources through an approval process. If that
person leaves the finance group to now be a member of the marketing
group, I want the resources that were tagged with a compound rule that
they needed to be in the finance group to be auto-revoked.

A person has requested/granted additional door access in their office
building to a shared teleconference room shared by the finance and
marketing group, when they transfer, this resource is not auto-revoked.

As far as scale goes, the first criteria would have about 15 different
rule based, while the 2nd adhoc/request based will probably be 300-400
resources. Ideally I would when a resource admin is creating the
resource that they can easily tag the resource with the additional rule
based criteria.

schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=52221