Role Changes on Disconnected Systems

By default, neither the Identity Refresh task nor the Role Propagation task will push entitlement changes to target systems when a manual work item is required to support provisioning. To do so could result in an overwhelming number of manual work items from even a single role definition change.

With the Identity Refresh task, there is a task option that allows you to request generation of manual work items for provisioning requests. It is called Enable the generation of work items for unmanaged parts of the provisioning plan.

This option does not exist in the Role Propagation task. Instead, in the Role Propagation task, there is an option to have the task run a business process in which you can do whatever you choose (including forcing the creation of manual work items). That business process must be named in the systemConfiguration Configuration object, in an entry called workflowLCMRolePropagation.

Keep in mind that provisioning of these un-propagated changes can also be handled on a user-by-user basis, as they will be visible in certifications. Un-propagated role content additions will appear as "missing required roles" in a certification, and un-propagated role content removals will result in the "extra" entitlements or IT roles appearing individually in the certification details. The certification can then trigger manual provisioning work items to process additions, or an informed certifier could revoke the no-longer-required extra access.