1° of all, thanks for your reply.
I'm using a hierarchical OU structure, the user store is a supported Relational Database.
Apart from the Organization Access Roles i mentioned in my question, we also have defined typical Access Roles having member rules such as "where ( Access Roles contains “DELIVERY” )" & Add Action: "Add to “DELIVERY access role" & Remove Action “Remove from DELIVERY Access Role"; in this case manually assigning the role to a user does trigger the Assign|Revoke AccessRoleEvent.
Going back to my original Question & your suggestion, at the moment the create or modify user event is the solution we have in place but i would like to get rid of it with a more elegant way because :
- In the PXs i've to check the type of modification performed on the user; as of today we are only using Organization as Access Roles, but in future we may use also other filters in the member rule, such as user's company, user's office and so on, or even create complex member rule (es. 'In organisation X' & 'In office Y' & 'user not disabled' & 'is internal user'), and its gonna be hard to evaluate all that in PXs; I wouldn't have to deal with all that if even in the case of automatic membership, IDM would generate some events like Assign|Revoke AccessRoleEvent.
- The actuals PXs are evaluated in every user modification, and appear in the VST adding a extra informations which may cause mistakes in troubleshooting problems.
Thank you,
Christian.