Make sure the “Allow propagation of role changes” option is enabled by navigating to Global Settings → IdentityIQ Configuration → Roles.
Once this option is enabled, any changes to role composition roleChangeEvent object will create.
Hi @goyalan Please Enable Role change Propagation in Global settings and running identity refresh will do the job if we are adding any role in the required roles under Business role. However if you remove any role under required roles in Business role then you need to run role change propagation task. Role change Propagation task can add or remove roles to Identities but Identity refresh task can only add the roles.
Hi @Arun-Kumar , I will do that now. But my question is that some of the users got it but some didn’t. Any idea why the respective entitlement got assigned to some users and not all?
Hi @Nanda_Balineni333 I have added the entitlement to the existing IT role under the business role. “Enable Role Propagation” was not enabled earlier but I have done it now.
So, my question would be that if any entitlement is added/removed to the IT role under a business role, then would it require “Refresh Identity Cube” or “Propagate Role changes” task?
Hey @goyalan , If the users have active/pending workitem then during Identity refresh they will be skipped without the refreshing. I think that might have happened. kindly do an quick check for sample user if he has any active workitem.
As you have added new entitlement in existing IT Role, In this case Refresh identity Cube alone will be sufficient for you. Incase if you remove any IT role or entitlement and for it to reflect in all users, you need to run role change propagation task
Hi @goyalan , Lets debug this little bit to understand what is happening in backend .
Step 1 - Check the identity → Entitlement tab and there should be business role entry there.
Step2 - Click on it , You will see a popup with all associated roles.
Step3- Verify if your Changed role is there or not . If its there , Then it should be with the red cross mark since as per you , its assigned but not detected yet .
Step4- If its not there , then we have to check why business Role is not updated. I am assuming you have enabled “Enable Role change Propagation“ which should take care of this.
Step5 - Once you execute the Refresh Task - It hits Identity refresh Workflow . Prjectt has been passed . After refresh , This group should be added in to Plan . You can print the Project and verify or enable the logs for IdentityRefreshExecutor class .
Hi @harsh_gupta4,
Yes, all these steps were fine. Just in Step 3, it showed cross in front of IT role, there was a red cross.
I restarted the servers and it worked.
Hi @goyalan , Good to know the problem is solved . Please mark the accepted solution whichever helped so this thread can be closed properly and helped others as well . Thanks.
