Currently IGA does not check other technical role contents on revoke. When you have two technical roles with (partly) overlapping permissions (which can happen with some shared mandatory groups), IGA fails to check if a user is still entitled to a permission via another technical role.

So:
Technical role A with permissions 1,2,3
Technical role B with permissions 1,2,4,5

When a user requests both technical roles, the user ends up with permission 1,2,3,4,5. When an application owner removes technical role B (for example in a review process), IGA removes all permissions from technical role B without checking if a user is still entitled to a permission via another assigned technical role (in this case permission 1,2). On revoke or role B, the user has an end state with only permission 3 asssigned.

As a technical role administrator I would want an option in a technical role like a checkbox "On revoke: Do not remove permissions that are part of another assigned technical role" (or equivalent).

by: S K. | over a year ago | Configuration