HI,
We have below roles and it attached to 3 access profiles, but in AD Network Access profile in side that access we have Domain users entitlement.
As part of birthright role we are assign this role to user, but in Domain users group keep adding into user every refresh, but it is not getting assign to users.
I can see under domain users group parent entitlements list of other groups. Any idea why this groups keep adding.
Hi Prasantha,
Please check this post - Access Profile with Domain Users only - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community.
It seems this is an observed behavior for Domain User Group. When you are assigning the Role, Domain User group might be set in Primary Group which is not part of the memberOf values. So, every Identity Refresh tries to re-apply the Role/Access Profile.
In general, don’t add “Domain Users” to a role. It’s typically a primary group for the user so it can’t be removed through a standard removal process, which means you need to do something custom to remove the role from users.
@pkumar22 you can remove the domain group as it will be added automatically while user gets provisioned
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.