Existing Entitlements are not getting deleted from the system when we update the AD group filter. We are trying to delete one of the AD entitlements (ABC) from the system, we updated the filter to not aggregate the (ABC) entitlement. Does it delete the entitlement from the system after running the entitlement aggregation? We do not want to do a reset of source.
Hello,
Are you updating the Group Search DN scope in both the account and group aggregation settings in the AD connector?
It’s possible the account aggregation is still aggregating the entitlement into ISC, even though it’s not included in the entitlement aggregation. You can verify if this is the case by clicking into the entitlement details. If the entitlement is only showing the DN value (unique id) and not other attributes (eg. grouptype, samaccountname, etc) it often times can mean it was brought in through the account aggregation.
Liam
1 Like
Hi @vmurugesan007 , You can utilize the specified API to remove the entitlements without impacting the accounts.
POST https://sailpoint.api.identitynow.com/beta/entitlements/reset/sources/:id
Be very careful with the “reset” calls though. They will delete all entitlements from a source. And break all access profiles you have defined.
2 Likes
@KevinHarrington Good note
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.