In our current setup(v8.3p4), we are facing a challenge where provisioning or deprovisioning processes fail when an assigned Role contains outdated groups that have either been renamed or deleted in Active Directory (AD). Since these changes are not automatically reflected in SailPoint Bundles, the affected Roles become invalid, leading to provisioning failures.
We want to explore the best approach to alert the IAM administrators when such a failure occurs so they can take immediate action to update the affected Roles. Alternatively, is there any configuration or feature that allows Roles to automatically update when a group is renamed or removed in AD?
Our key requirements:
Get alerts/notifications when a group referenced in a Role is renamed or deleted in AD.
Prevent provisioning failures by ensuring Roles stay updated with group changes in AD.
Explore any possible automated updates to Roles when changes occur in AD.
Has anyone implemented a similar solution? Are there best practices or configuration options in SailPoint that can help address this issue?
I have gone through the article on Native Change Detection and tried replicating it in our lower environment. I made a change to an AD group and then ran an aggregation, but I did not observe any updates in the Role where this group is associated. Additionally, no changes were reflected in the user’s Identity Cube, even after running a refresh task.
Could you clarify if there are any additional configurations required for the Role to detect and update changes from AD? Or should this be handled through a different approach?