We are experiencing difficulties cleaning up stale Active Directory entitlements within our SailPoint IdentityNow environment. “memberOf” attribute is configured as an entitlement, and AD entitlements are aggregated through Account Aggregation.
Over time, numerous outdated Active Directory groups have been deleted or moved to a different OU at the source. However, we have not run Entitlement Aggregation to reflect these changes in IdentityNow. This has resulted in a significant discrepancy, with IdentityNow displaying a much larger number of AD entitlements than the actual groups present in our target AD system.
We have attempted to resolve this by running Entitlement Aggregation, both with and without optimization enabled. Unfortunately, the stale, deleted groups continue to persist within IdentityNow.
We are looking for some assistance in identifying the most effective approach to clean up these redundant entitlements and ensure accurate representation of our current Active Directory groups within SailPoint IdentityNow.
Hi Gopi. I think the problem is that you still has users that are members of the groups that were moved. When doing an account aggregation, ISC will populate the groups that users are memberOf, as entitlements on catalog. It does not matter if the groups are or not in the base DN group search scope.
You can filter the groups that are read in the memberOf attribute, in order to make this group universe smaller. But any group that appears in at least one user memberOf attribute value, will appear on the entitlements.
To clarify, the issue is that, Active Directory groups which have been deleted and no longer exist in our target AD system, are still appearing within our SailPoint AD source even after running entitlement aggregation.
We’re trying to understand why these deleted groups persist despite the aggregation process.
You are dealing with sticky entitlement issue which kind of brings the entitlement back in IdentityNow even if they are remove in target.
We had a similar problem and to solve this issue you either try to remove the entitlement from within IdentityNow or reset the source. To remove it from the user Go to Entitlement → Identities who have it → revoke it from there. See by doing this if it gets resolved. If not then reset source is an option but it will impact the existing Access Profiles and Roles if there entitlement where part of it.
ASFAIK, accounts will be removed in SailPoint if deleted at Target application, but entitlements will not be deleted at SailPoint side. It will be there forever. So only option is reset.
Problem is, if you have created any Access Profiles on top of these entitlements then those will be wiped out, resulting empty Access Profiles. You have to add manually every time.
I would be amazed if there is a way to remove only those entitlements.
Alternatively, you can reach out to SailPoint support or Expert Services to delete those entitlements from backend.
Hi Rakesh, thanks for your suggestions. We’ve checked, and no users are associated with these entitlements. Although resetting the source is a potential workaround, we’re trying to avoid it. Resetting the source would negatively impact our access profiles, particularly our birthright access profiles, and other access profiles with automatic deprovisioning scheduled for their corresponding access sunset dates. This is crucial because some of our access profile approvals are for short durations and has to go through automatic deprovisioning.
Thanks Krishna for your input.
We do have access profiles configured on that source, we are trying to find alternatives to delete these redundant entitlements without resting the source.
As you suggested, may be SailPoint support has a way to delete in the back end - I’ll try that.