I am looking to create compound rules for a set of resources. The first
criteria is that they match some rule (or need to belong to a group),
and the second is that they need to have gone through a normal
request/approval process or assigned on an adhoc basis to finally get
assigned the resource. I want to be able to define different criteria
for the 1st criteria depending upon the resource. The tricky part seems
to be to trigger the re-evaluation on change to the rule based criteria.
http://tinyurl.com/lc8hgvh gives some assistance, but I was looking for
collective wisdom if others have done this and if this is the approach
they have used. Or if people can give insight on why not to create
something like this and I will have to go back to the drawing board.

A few use cases ...
A person is a member of the finance group that they can request and be
assigned some rights/resources through an approval process. If that
person leaves the finance group to now be a member of the marketing
group, I want the resources that were tagged with a compound rule that
they needed to be in the finance group (or have a finance role which is
possible) to be auto-revoked.

A person has requested/granted additional door access in their office
building to a shared teleconference room shared by the finance and
marketing group, when they transfer, this resource is not auto-revoked.

As far as scale goes, the first criteria would have about 15 different
rule based (certain role, certain group, certain attribute, etc), while
the 2nd adhoc/request based will probably be 300-400 resources. Ideally
I would like when a resource admin is creating the resource that they
can easily tag the resource with the additional rule based criteria.

schwoerb's Profile: https://forums.netiq.com/member.php?userid=2338
View this thread: https://forums.netiq.com/showthread.php?t=52404