I wanted to share my recent experience with IdentityIQ regarding the removal of roles assigned via Assignment Rules, such as *Birthright Roles.
I noticed that when I attempted to remove these roles using just the following task options:
<entry key="promoteAttributes" value="true"/>
the roles “were not getting removed” , even after identity attributes were updated and should have caused the rule-based assignment logic to assign the roles.
Resolution:
To successfully remove these types of roles (those assigned by assignment logic), I had to run the Refresh Identity Cubes task with these additional settings enabled :
<entry key="provision" value="true"/>
<entry key="promoteAttributes" value="true"/>
<entry key="refreshIdentityEntitlements" value="true"/>
Enabling refreshIdentityEntitlements was key — this option ensures that IdentityIQ re-evaluates and synchronizes assigned roles based on current identity data and assignment logic , including removals.
Use Case:
- Birthright Roles
- Any roles assigned/removed through Assignment Rules
Recommendation:
If you’re troubleshooting why roles assigned through assignment logic aren’t being removed as expected, try running the Refresh Identity Cubes task with the refreshIdentityEntitlements flag set to true.
Hope this helps others the same issue!