Hi Dominick,
Yes the group DNs are case sensitive unfortunately. However, SailPoint does not gracefully handle these entitlements. They don’t treat them as ‘net new’ entitlements. I opened a case with them a while back on this issue and did not get a concrete response on this. They referenced an engineering ticket (SAASTRIAGE-3260), but unsure of the status of it.
They did offer three solutions:
- Reset the source and re-aggregate (not ideal)
- Change the DN back to the original casing in the target system to match the Access Profile and Entitlement object value
- Ask SailPoint services to update the XML representation of the entitlement in the backend
We ended up going with option 3 for any entitlements we found where the casing was off due to a native change made in the source on the entitlement name.
Thanks,
Liam