What is a one sentence summary of your feature request?
Parameters values for manual Role must be taken into account even after assignement
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
A role with parameters can be assigned because the automatic assignment rule is met. If the rule is no longer met (for example: a change in the value of one of the dimensions used), the role is automatically removed.
When assigning a role with parameters manually, the values to be taken into account for each parameter are selected. If any of the values change in the user’s record, the role must be removed. This is not the case. Currently, the role is always assigned. In cases where the role grants access to a resource type, the resource is not deleted; only the scalar rules are. There is no provisioning order for deletion.
The current behaviour needs to change. If any of the values used for a parameter during the manual assignment of a role changes, the role must be removed. The behaviour should be similar to that for roles assigned automatically via defined rules.
How do you currently solve the challenges you have by not having this feature?
To identify the roles to be removed, we use the data extraction feature available on the Assigned Roles page and a report we have created to extract the list of records. We then use Power Query to cross-reference the data.
We could perhaps use the recertification module, but we are not yet familiar with it.