Check 21816 presumes the JIT boundary is at the role assignment layer. We do not account for a customer enforcing JIT elevation into a group, which in turn has a permanent assignment to a role.
Proposal: when a group is found with a permanent role assignment, query
PIM eligibility to verify that group membership is managed via PIM for Groups.
Check 21816 presumes the JIT boundary is at the role assignment layer. We do not account for a customer enforcing JIT elevation into a group, which in turn has a permanent assignment to a role.
Proposal: when a group is found with a permanent role assignment, query
PIM eligibility to verify that group membership is managed via PIM for Groups.