What is a one sentence summary of your feature request?
Perform reconciliation at the role level instead of at the resource type level for “account only” roles
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
In NIM’s standard behavior, when an account (resource type) is created directly in an application and detected through the synchronization process, it is automatically flagged as “unauthorized”, and a task is generated in the “Resource Reconciliation” screen.
This occurs even when a rule in the role model establishes a link between the role and the corresponding resource type.
In such cases, we would prefer that NIM generate the task in the “Role Reconciliation” screen instead, since the linkage is already defined by a rule.
This behavior is already supported by NIM, but only when the rule links a role to a navigation (such as an AD group) within the resource type.
How do you currently solve the challenges you have by not having this feature?
We manually do the work to identify users who were authorized for the resource type via the “Resource Reconciliation” screen, and then assign them the corresponding role.