We have a requirement of a Role Max Count (Max Count and Counter value Defined on Role Attribue), which means that when Counter value equals Max count, the Assign Role Tasks throws an error that role has reached a max count value.
Have achieved this via PX in IM.
If anyone has some idea, how this can be done on Identity Portal, if we can read role attributes in Portal?
Because when I run the Assign role tasks in Portal, the tasks gets submitted successfully with a reference number but the actual tasks fails in IM without user knowing on the same.
If Portal can throw error message when user runs the self Assign Role Task?
I think the best option would be to open a support case and work it over a WebEx. That way you can provide more details on your current PX policy configuration and we can figure out if it can be achieved in IP as well or not.
Since you are working with CA Support, they probably already provided you with a solution. Otherwise, two alternatives come to my mind off the top of my head to achieve your requirement:
1) you can write a java plugin in CA Identity Portal that queries the Role attributes and then you can use this information in the form handlers. Access request execution path is based on a form after all. Please search java plugin functionality in the Identity Suite documentation on docops.ca.com
2) Do you have CA Identity Governance? In CA Identity Governance you have a possibility to define business policies (BPRs) based on counters, i.e. User Counters of Role and you can define the maximum number of users that could have access to this role. Then you can use Identity Governance BPR rules as risks in Identity Portal or configure Smart provisioning in Identity Manager. Please see below my screens as an example:
Identity Governance User Counters of Role BPR Screen:
I have already exceeded max of 8 users for the CRMEndUser role, so this BPR is already violated.
Here's the message the user receives when checking out CRMEndUser role from Identity Portal as access request WITHOUT defining risk in Identity Portal (this is because smart provisioning is configured in Identity Manager which checks for IG BPR violations). As you can see the BPR compliance message is displayed by CA Identity Manager to the end user.
You can also use Identity Governance risks in Identity Portal and it would likely look much prettier to the end user. If Identity Governance violations are checked in Portal, they would increase the risk score of the cart and the user would not be allowed to check out access based on blocking risks and the user will receive a more user friendly message.
I can't share the Identity Portal risks display screens during the access requests at the moment but I may be able to do so in the future should you be interested.