8.4p1
We can see both assigned and detected roles on UI but when we check the identity in debug ,we can see AssignedRoles are missing for the users.
And AssignedRoles are added back when we run the Identity refresh task with options
Please let me know if any one faced this issue and how it was solved.
Hi @shiva_k,
the behaviour is correct. When a identity is created and aggrergate all own accounts, SP detect the entitlement, attributes ecc…
But for “complete” the IDN, everytime you need to execute the Refresh identity.
Refresh identity is the most important task in SP, for detect and provision roles and attributes; after the termination of all aggregation, execute the refresh identity task, with all properly marked flags
Hi @shiva_k ,
It is expected behavior, When the assignment rule (it may contain any rule, matchlist, script, etc) is executed, the appropriate Identities are automatically assigned that business role. To execute the roles’ assignment rules, execute a Refresh Entitlement Correlation task or an Identity Refresh task with the Refresh assigned, detected roles and promote additional entitlements option selected.
To provision entitlements to the target system, enable the option called Provision Assignments in the refresh task. Run the refresh task two times after aggregation is done. So, without any issue, the role will be assigned and provisioned as well.
This is very good document, you can go through it: https://community.sailpoint.com/t5/Technical-White-Papers/Role-Management-in-IdentityIQ/ta-p/77726
Hi @shiva_k
Is this behaviour happing on same identity again and again or only for first time?
Thanks
We are also facing the same issue while upgrade to 8.4p1. Identity <AssignedRoles> may disappear, and this somehow happens to one of the environment. Of course, after Identity Refresh the is coming back, but we are wondering why it got removed from the first place.
Note: missing <AssignedRoles> will impact the certification revocation, as it will consider the role as detected role and lead into failure on revocation.
After some investigation, we found out there is a Policy which its Policy Role accidentally remove the AssignedRoles by reference. I would suggest you may check your custom code, if there is anything like this.
Thanks,
We also had the issue with Policy rule, we updated the rule to fix it.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.