On 3/25/19 4:34 PM, fp IDMWORKS wrote:
> A customer is using dynamic groups to grant RBPM Roles. When they have
> exceptions they add the user to the excluded members of the dynamic
> group.
> It would be great if the dynamic group could be used in a fulfillment to
> remove permissions by adding the user to the excluded members. This way
> custom workflows wouldn't have to always be considered. The customer
> would still need to clean up data for long term use of the attributes in
> the filter. You wouldn't want all non-active students at a university
> added to an excluded list that would accumlate over the years. It would
> be intended for short term use cases where the rights could be revoked
> either till the status change comes through on the dynamic filter data
> that is basing it's rights, or until the user's temporary restrictions
> can be removed and they are removed from the excluded list. A background
> job might have to be used to validate if an excluded user could be
> removed if the ldap filter wouldn't find the user any longer in the
> group.
> Is this a possibility with the current fulfillment architecture to add
> this as an enhancement request?
> If it isn't currently possible, would it be worth to have a worflow
> template to enable to handle dynamic group exclusions?

If your question is if ID Gov currently has a eDirectory
Fulfillment configuration for managing memberships in a Group as
outlined above, we do not. If you do not want to use a custom workflow,
then you could create your own custom Fulfillment by utilizing the SDK
that ships with ID Gov.

Steven Williams
Principal Enterprise Architect
Micro Focus