RFE: Allow for making configurations exclusive #1230
Description
When applying new configurations using the collection, it works as expected, the variable definitions are correctly reflected in the actual AAP configuration, this is easy to verify using the Web UI.
However, in case any definition is removed or renamed it means the earlier definition is in most cases still left in place in AAP meaning it's most likely unexpected and to remove the old configuration/setting it has to be done separately.
There are things that always exist so for those if no definition is provided in the current CaC being applied those should be left as-is and we can ignore such settings in this discussion.
But, for example, something like authentication mappings defined using gateway_authenticator_maps are typically something that should be present in AAP only if defined in the current CaC being applied. As of now, removing or renaming any definition e.g. from gateway_authenticator_maps means the previous mappings are left behind, potentially leading to unexpected result with access and permissions.
It would be really helpful if the collection or at least selected roles could, on request, check after applying CaC for the resulting configuration and then remove any settings that were not provided as part of CaC. This would make it easier to keep the actual in-use and the in-CaC configurations in sync, and avoid surprises if, say, an inexperienced administrator makes unintentional changes over the Web UI.
This is obviously something that is not entirely straightforward in all cases so this may not be possible to implement for every case. Perhaps it would still be worth investigating and implementing for more crucial parts of the setup, such as authenticators, authentication mappings, and possibly few others. Ideally, there could be something like "gateway_authenticator_maps_exclusive: true" to make this happen.
Thanks.