I created a dynamic group which works based on departmentNumber and
successfully adds and removes users from the membership accordingly. I
create an entitlement, associated it to a resource, associated it to a
role, associated the role to the dynamic group. Users with that
particular departmentNumber value are added to the group, and get the
resource and therefore the entitlement. However, when the user's
departmentNumber is changed, they are removed from the group, but they
are not removed from the role, resource assignment or entitlement grant.
Tried the same thing with a static group and it worked perfectly.

Question is whether this *should* work, creating a dynamic group for
this would be ideal.

This is 4.0.2...probably not patched...Identity Manager Roles Based
Provisioning Module Version 4.0.2 Build Revision 38382


rrawson's Profile: https://forums.netiq.com/member.php?userid=403
View this thread: https://forums.netiq.com/showthread.php?t=49519