This content has been marked as final. Show 3 replies
I don't know if you can prevent, but i am pretty sure you can immediately fix. You can create an event handler like this:
<action-handler class="com.client.code.eventhandler.RoleUserProcessor" entity-type="RoleUser" operation="CREATE" name="RoleUserProcessor" stage="postprocess" order="1000" sync="TRUE"/>
This is just a sample event handler that i've used before that did a check any time a member became a member of a role to perform a certain action. You could do some testing on the operation type, and the stage if you want. But it is possible for you to know anytime a user is added to this role, and anytime a user is added to a different role to check if they are a member of this role you mention. If they are a member, use the APIs to remove them from any others. If they get added to a new role, immediately remove them.
So yes, it is possible, and perhaps this can give you a start at some testing.
thanks for your answer.
Does OIM support any kind of segregation of duties? SOD handles something of that kind
You can integrate with SOD applications (you'll have to check the documentation) which check when a user receives roles/groups on a child table for validation, but i am not sure if it works like that for internal oim roles.