Is anyone using Access Roles in Identity Manager for purposes other than SiteMinder? If so, how and why? I read in the documentation that they're intended for use with application tasks managed by (?) or coordinated with (?) SiteMinder, somehow. But that doesn't mean anything to me, as our particular implementation doesn't include SiteMinder. If I understand them correctly -- which I'm pretty sure I don't -- this makes them "Admin Roles without Admin Tasks", to a certain degree.
It occurs to me that Access Roles may be useful as a "dynamic grouping" mechanism, or as a means to encapsulate scoping rules into a self-contained object that can be leveraged elsewhere in IM. This may or may not have value, considering that Identity Policies can be used for the same kind of thing. But I'm wondering about the costs versus benefits of Identity Policies versus Access Roles for the purposes of dynamic grouping. I'm not sure I have a complete understanding of when objects are evaluated for inclusion in an Access Role, as compared to Identity Policy, which seem to be triggered by events related to user object modification.
What do you think? I appreciate any knowledge you may choose to share with me in these regards. Thanks!