In version 2.5.1, each change item in the REMOVE_PERMISSION_ASSIGNMENT change set contains the permission name, but does not contain the permission ID from source. The permission name is the display value that, hopefully, was designed to be clear to the reviewer what the permission is. However, this display value may often not be the permission ID in the source system that is needed to complete de-provisioning.

When doing external fulfillment through an IDM workflow, the lack of permission ID from source in the change set means that an extra REST call must be made for each permission that is to be removed when the permission name and permission ID from source are not the same. This is extra REST Call is additional processing overhead that could be eliminated with the permission ID from source already a part of the REMOVE_PERMISSION_ASSIGNMENT change item.

It is odd that permission ID from source is missing from the REMOVE_PERMISSION_ASSIGNMENT change item. Both the account name (accountName) and account ID from source (account) are part of the change item record. Only the permission name (permName) is in the change item record. However, to remove the permission from the account, both the account ID from source and permission ID from source are needed.

by: Warren A. | over a year ago | Integrations