I am trying to see if I can implement this in Adaxes somehow to support role-based provisioning to external apps (using appropriate Powershell scripts) but struggling to work out how to implement chages properly.
I create a container - e,g Roles - and then create gropus below this to represent each role, These in turn contain sub-groups to represent application access and further sub-gropus for the permissions within each app.
Assuming that I have suitable AIPs then when a user is added to a Role group I can use a business role triggered by a change in group membership to initiate workflow to call application provisioning APIs to create accounts in each of the applications with the associated permission sets.
However, if a user changes role in the organisation I need to be apply 'delta' changes to the provisioning rather than completely deprovisioning application accounts and then recreating them.
So in the case above, if a user changes role from Role 1 to Role 2 I need to be able to determine that the resultant api calls are to:
- Remove Permissions A1 and A3 from Application A
- Remove Permission B1 from Application B and add Permission B3
- Deprovision from Application C
However, I am struggling to work out if itwould be possible/practical to be able implement this model in Adaxes or whether I need to invest in a full-blown role-based provisioning platform (would rather not!).