I have a use case where I need to delete a role ( remove the actual role definition, not remove a role from a person) programmatically. Looking at the WSRoleService, I don't see an exposed method for this and my initial idea is to do the following :
1) Get the role object by a filtered search
2) Search all the persons that have the role so that I can remove the role from them. This will trigger all applying PPs to deprovision entitlements.
3) Get all PP policies that have this role as member role and :
a) modify them to remove the member role if the role is one of many
b) remove the PP entirely if the role to be deleted is the only member
4) Remove the role from the LDAP directly ( as there is no exposed way to do this via the APIs)
Does anyone see any flaw in the logic or anything else that should be taken into consideration ?