I’ve noticed that IDN will continue to add AD entitlements that were requested via request center (sticky entitlements) to inactive identities if the entitlement is removed from the source account. What’s concerning is that if the AD account is deleted, IDN will recreated the AD user object in an active state and add the entitlement, despite an inactive LCS. I hope this is not the expected behavior?? How do we get IDN to release the sticky entitlements to prevent this?
You can create a workflow to remove those sticky entitlements.
There is currently no good and best way to find out which ones are sticky but you could use the “Completed Access Request Approval API ” to get list of all entilement approvals. (Entitlement Request Approval should be enabled) and then in a loop operator, you call Entitlement Revoke API to get rid of sticky entitlement.
Another option is to write a BeforeProvisioningRule to remove the sticky assignment.
Thank you for the response @atarodia. I have am in the process of reviewing the video found here: Ungluing Sticky AttributeAssignments however this is for IIQ. I assume the BeforeProvisioningRule option you mentioned is similar to what is discussed in the video but searching Compass, I do not see any reference to AttributeAssignment for IDN. Do you know if this is also applicable for IDN?
I have also seen this behavior. You can also use a certification to revoke the entitlement which will remove the tape for the sticky entitlement. Hope that helps!.
We are looking for an automated solution without having to trigger a certification on an inactive LCS and requiring someone to manually revoke the entitlments.