EmptyPersonalRole
Automated cleanup of personal roles when users move between departments.
Revokes or empties a user's Personal Role when key org attributes change, preventing access drift and improving mover safety.
Overview
In dynamic organizations, employees often change departments, but their access rights do not always follow. The Empty Personal Role add-on ensures that personal roles tied to a user's old department are automatically removed when their department changes.
This automation eliminates the need for manual cleanup, reducing the risk of inappropriate access and ensuring that users retain only the permissions relevant to their new role. By integrating seamlessly with OpenText IAM processes, it supports a clean, compliant, and efficient identity lifecycle.
Features
When a user's departmentNumber attribute changes, the driver identifies any personal roles matching the defined naming convention. It then enumerates all assigned roles, detects personal ones, and removes any associated child-role relationships, fully automating the cleanup of obsolete personal assignments.
Benefits
Ensures users only retain relevant access after departmental changes
Reduces manual administration and potential for human error
Strengthens compliance with internal access-control policies
Prevents lingering access rights that pose security risks
Improves data consistency within OpenText IAM
Enhances audit readiness by maintaining accurate role assignments