Within our tenant we noticed that entitlements from Active Directory would drop off periodically from the access profiles. Which essentially means the active directory group stops being managed by sailpoint. We noticed this occurs when OU changes, name changes or other changes occur to the active directory group. Sailpoint does not seem to utilize the SID on active directory groups to identify them and tie them to the access profiles but instead utilizes the DN.
Any suggestions on identifying when these access profiles lose their Active directory entitlement. One of my thoughts were to try and identify and alert on access profiles that drop down to 0. Are there any suggestions how to at least identify when this occurs without having to wait until a user loses access and investigate only to find out that an entitlement has dropped off. As well as a way to potentially alert on this. I have attempted to utilize Splunk for this but there is no log from sailpoint regarding an entitlement dropping from an access profile and alerting on any change to a group within Active directory would just create and immense amount of noise. Any suggestions or ideas would be greatly appreciated