There is one AD group in particular where SailPoint is continuously trying to add it to user AD accounts. SailPoint’s identity event logs show Add Entitlement Passed for the same entitlement hourly due to the AD account aggregations.
All users assigned to the group in SailPoint are actually added to the group in AD so I’m not sure what the issue is.
At a quick/rough guess, I would say that the entitlement is not being pulled into Sailpoint, which is why it is trying to add it each time. It can’t ‘see’ it on the profile.
Have you run an entitlement aggregation recently? That might help
Yes, we have hourly AD entitlement aggregations and the DN shown on the entitlement within SailPoint matches the DN of the group within our AD structure, so I have confidence that the group object matches.
And can you see the entitlement on the user’s identity cube?
Yes, in SailPoint I see the AD entitlement shown on the user’s AD account and listed under the entitlements list on the identity. In AD I see the user as belonging to the group membership.
How is the entitlement being added to the cube?
Is it by a role, a LCS profile, an UPDATE command on the source, or something else?
The entitlement in question belongs to a role which adds numerous other AD entitlements without this duplicative adding issue.
Few more questions to understand the issue,
Does the entitlement trying to add hourly basis when the aggregation executing?
Does the entitlement directly added in the Role or through Access Profile?
Yes, SailPoint is attempting to add the entitlement hourly upon every aggregation execution.
The entitlement is added via a Role directly, we do not use Access Profiles at all.
I have done some more investigation and it appears the entitlement was renamed in AD a while back. The only difference in DN is capitalization, so it used to be
CN=TESTGROUP,OU=test,DC=test
and now it is
CN=TestGroup,OU=test,DC=test
I am still trying to figure out if group DNs are case sensitive in SailPoint. Right now, my thinking is if we were to move the group to a different OU SailPoint would update the group value but I need to work with my infra team to confirm.
I assume it could be due to sticky entitlement and can you try to remove that entitlement from role and add it back through Access Profile and check whether it resolves the issue.
Hi Dominick,
Yes the group DNs are case sensitive unfortunately. However, SailPoint does not gracefully handle these entitlements. They don’t treat them as ‘net new’ entitlements. I opened a case with them a while back on this issue and did not get a concrete response on this. They referenced an engineering ticket (SAASTRIAGE-3260), but unsure of the status of it.
They did offer three solutions:
We ended up going with option 3 for any entitlements we found where the casing was off due to a native change made in the source on the entitlement name.
Thanks,
Liam
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.