Any sure process on finding the duplicates in question? Since it is collecting all the data and seeing the number of duplicates, it would be nice to have a way to report what the duplicates are so that we can easily look at what data may need to be cleaned up. Or is there consideration to store all permissions regardless of multiple duplicates in the future so that a review or report could be ran to help identify the duplicates.

My concern is that if you have a duplicate entry but IG only stores one permission and not all of the duplicates, then when a fulfillment happens it only handles the one. The reviewer assumes only one permission and that it should now be removed.

Example, if you have a dynamic group assignment to a role, and then a static user assignment to a resource associated to the role, you will have duplicates. Or I am assuming if you have multiple dynamic groups associated with multiple roles and those roles contain some of the same resources, etc.

So I get that eliminating duplicates may not be what is desired, depending on the implementation and use case. But it would be nice to store them all and evaluate all of them or at least notify a reviewer that there has been multiple detected and that further reviews will need to be assessed, etc...

Am I over thinking this?
Any way to dump the duplicate data out? I have two customers with 10k+ warnings with collections for duplicate permissions. Not that many duplicates, but that many warnings with maybe as many as 21 duplicates, I have seen on a group.

Currently I am doin an export of all objects with a DirXML-Entitlementref and nrfAssignedResource. I then export it to csv and open it with notepad and search on the permisionId value to pull up all within the current document. I'm assuming that is an Okay approach, but tedious.

thanks,
Fred