Access Profiles: AD Entitlements disappear without notice if renamed on source

What problem are you observing?

When testing the configuration for an Access Application called “FinApp”, we created 2 Access Profiles: “L1 Access” and “L2 Access”.

“L1 Access” was configured with an AD group/entitlement “View Config” and “L2 Access” was configured with “View Config” and “Modify Config” AD group/entitlements.

During the initial testing, we tested requesting this application and the access profiles for each and it worked well. After a demo for the stakeholders, a name change was requested for the AD group/entitlement from “Modify Config” to “Edit Config” to follow the naming convention in place. This change was made in AD and aggregated in.

After the change was made, we checked the previous users to make sure they had the “FinApp” Access Application, test Access Profiles, and the AD group/entitlements. In all cases, each user had each of those items listed in their Access Page.

However, when we looked closer at the “L2 Access” Access Profile, there was only 1 entitlement listed in it, which was “View Config”. The “Modify Config” was no longer present, and the new “Edit Config” was not present either. This means the access profile silently removed this access without notifying anyone or providing an error state to respond to.

What is the correct behavior?

Bugs are considered issues with a feature that prevent it from behaving as designed. In what way do you believe this feature is not working as designed?

What product feature is this related to?

ISC Access Profiles and Entitlements

What are the steps to reproduce the issue?

Create an AD with 2 AD Groups
Configure AD Source to be used for entitlements on an Access Application and aggregate users and entitlements
Create 2 access profiles for AD, one with 1 entitlement, the other with both.
Create an Access Application and add both access profiles to it.
request and approve the access application using the access profile with 2 entitlements for one or more users.
change the name of the 2nd entitlement directly in AD
aggregate the ad entitlements.
go review both Access profiles and notice that the one that originally had 2 only has 1 now.

Do you have any other information about your environment that may help?

This was in Sandbox.

With @christina_gagnon’s help, we determined that there is an Email that goes out to ALL Identities in the IdentityNow Admins source when this happens with the details. In my case, this was getting filtered to another folder in the joint mailbox.

I still would like to see a notification in the UI when the admin logs in, or views the Access Profile noting the change. This I will add to the Ideas forum for visibility

1 Like