We have two applications Application A with Access group AG1 and Application B, AG2. A user has to be provisioned to access both the applications.And in the user portal there's an icon to switch applications.
Scenario: Initially the user is provisioned for both the applications. Now later he is inactivated for Application B. What is the best approach to restrict the "Switch Application" to Application B.We are using the Pega OOTB rule to populate the switchApp list. Should we delete the AG from the user profile when he's inactivated (in this scenario delete AG2) and add the access group back when the profile in reinstated or is there a better solution to this?
I would think the best way would be to maintain the list AccessGroups, Applications the user has access too, is by updating the user profile. That is the intention of the list of AccessGroups in the operator profile.
With the standard OTB PRPC login, known as PRBasic used for /PRServlet, you can't modify the operator profile during login. However, when you implement SSO with a PRCustom style, SAML or other, you do have the ability to modify this list of AccessGroups before the user is logged in.
For example if using SSO and the user system of record stored in Active Directory contained the list of Applications the users has access too then you could during the PRPC login automatically update the users Data-Admin-Operator-ID to reflect this list. Then it's automatically changed in PRPC the next time the user logs in after the users system of record is updated in Active Directory.