I want to disable the Remove button for the roles where no one must have a option to remove members/entitlements in the role.
Could you please help me how can it be done ?
Are you looking to do this within the screens for managing roles within the BRM module?
Yes , I want within the screen and no one must able to remove the members/entitlements.
I am not sure if this is possible or advisable.
How many users in your organisation currently have access to these screens to be able to change roles? I would look into restricting the users that can access this part of the product as it shouldn't be widely accessible. In my opinion, only your system administrators and role owners should be able to and they should have the ability to edit the roles including adding/remove permissions within the role.
A related note on role memberships worth considering is that users being added/removed from roles should either be done by Membership Rule or explicit request via ARM to avoid roles sitting in a ‘locked' state while changes are provisioned.
Yes , We use role membership and we have already disabled Add members/entitlements and we are collecting role via Role collection but sometime members used to remove manually and it leads to some issue in entire role so thats why we are looking to disable that button .
I know we can do it using java script thats why just checking any possible code can be used.
Before going down the route of scripting and coding things, it is much better to fully understand what you are trying to achieve and try to do this with ootb configuration. Can you expand on the use case that is causing you issues please:
Confirming these are collected roles from an external source and not managed roles in IGL?
Who are the users causing the issue and what exactly are they removing and from where in the UI?
Yes, We are collecting data using role collection.
Every Role based Access Either Add Role to the member/Remove role from the members must be go through Access request forms and so by default role owner must have option to remove from role and so we want to mask the remove button to avoid the removal of members/entitlements from the Role.
OK so the only users who can currently see this option are Role Owners. They have this ability through the ootb Role Administrator Aveksa app role that contains these entitlements:
If it is only your role owners who are potentially causing this issue I would recommend training and communication with them so that they do not attempt to edit the collected roles they own via the BRM module – specifically calling out removing members of entitlements.
I totally agree what you say ,but as per the requirement i must not show any button enabled in the BRM for the specific rolesets
Before making any further recommendations on this, can you outline what the role owners are required to do within IGL for the roles they own such as:
I want to make sure any recommendations take into consideration all use cases you have for these users.
Also double checking that apart from Admin and Role Owners no other set of users can currently see the Remove option within BRM through any custom Aveksa permissions or other means?
These accesses are driven by Aveksa application entitlements. Users with Role management access will always be able to edit roles. If you want to restrict to view only, you can provide "Role: View All" access instead of higher role privileges.
I feel that the "Available for Request" setting should apply to both adds and removes but it only applies to adds.
Hi Becca - can you create a separate thread expanding on this please?
If what you explain is working as designed it may be something that can be raised for consideration here: RSA Ideas for RSA Identity Governance & Lifecycle | RSA Link
You can either play with the security contexts of the aveksa entitlements's scope. If that isn't suiting your needs since the user might need to edit the role metadata where the view all would prevent such a change from happening, there is a CSS option to hide them where this can be easily done starting V 7.1.0 with the CSS file upload being available, however they're just not visible but are still there :-)
You can get rid of the Add button on the Members tab only by changing the Role Set policy. Simply set "Deny” to Users as members. You will still have the Remove button beside existing members and all roles will show a small warning at the top saying "X users are not allowed in this Role”.
Retrieving data ...