attributeAssignments mismatch

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.4

Hi Experts,

I would like to ask about the entry key = attributeAssignments in an identity cube.

I noticed that the entitlements shown in the SailPoint portal do not match the attributeAssignments in Identity debug mode.

In what situations does this happen? Is this expected behavior?

SailPoint portal:

image
image2516×1002 117 KB

Identity Cube in debug mode:

<entry key="attributeAssignments">
        <value>
          <List>
            <AttributeAssignment applicationId="0ac928ce92e11cbf8192e1dfafc800b6" applicationName="Loopback" assigner="spadmin" assignmentId="a3749421afca4c56b41deaf10ecb2d0a" name="workgroups.name" nativeIdentity="22222222" source="LCM" type="Entitlement" value="Owner-Intelemailtest1"/>
            <AttributeAssignment applicationId="0ac928ce92db1bbf8192dcf4f8860404" applicationName="AD-***" assigner="spadmin" assignmentId="f92655ff223c4b37b68d1507c6a7e3ea" name="memberOf" nativeIdentity="CN=Chiew\, Desmond,OU=Test2,OU=IntelTest2,DC=***,DC=info" source="LCM" type="Entitlement" value="CN=Access Control Assistance Operators,CN=Builtin,DC=acwdemo,DC=info"/>
            <AttributeAssignment applicationId="0ac928ce92db1bbf8192dcf4f8860404" applicationName="AD-***" assigner="spadmin" assignmentId="8fd3818ded014c58b16b2d5db8e58c83" name="memberOf" nativeIdentity="CN=Chiew\, Desmond,OU=Test2,OU=IntelTest2,DC=***,DC=info" source="LCM" type="Entitlement" value="CN=Account Payable,CN=Builtin,DC=acwdemo,DC=info"/>
            <AttributeAssignment applicationId="0ac928ce92e11cbf8192e1dfafc800b6" applicationName="Loopback" assigner="spadmin" assignmentId="9a662d82f37548b8893763ba3d936e78" name="capabilities.name" nativeIdentity="22222222" source="LCM" type="Entitlement" value="ApplicationAdministrator"/>
            <AttributeAssignment applicationId="0ac928ce92e11cbf8192e1dfafc800b6" applicationName="Loopback" assigner="spadmin" assignmentId="92b5e732c0374402b00da4e1d3eac6a3" name="capabilities.name" nativeIdentity="22222222" source="LCM" type="Entitlement" value="AccessManager"/>
            <AttributeAssignment applicationId="0ac928ce92e11cbf8192e1dfafc800b6" applicationName="Loopback" assigner="spadmin" assignmentId="a1aecf23dc7b400388f815bfe0a7393a" name="workgroups.name" nativeIdentity="22222222" source="LCM" type="Entitlement" value="Approver-BernardWorkgroupTest"/>
          </List>
        </value>
      </entry>
2

Hi @Bernardc,

This is due to the Attribute Assignment (Sticky entitlements) in the identity Cube. Attribute Assignments are added to an identity to track entitlements that have been assigned to them, typically from an access request. It can be viewed on the Identity via debug page. Whenever a user is provisioned via Access Request (LCM) this sticky attribute is added to the identity. This will be part of the provisioning plan under attributes as assignment = true. Refreshing the identity will retry provisioning of missing entitlements and accounts.

Thanks

3

hi @ashutosh_singh ,

I see, much appreciate for the info.

I have an issue with this where provisioning to identity keep retry but the entitlement was deleted from SailPoint and endpoint application. Is there anyway i can stop the provisioning retry or anyway to avoid this?

4

@Bernardc pls check below links,

What’s sticky AttributeAssignment and how to delete it? - Compass

Remove unused attribute assignments for an identity to stop auto provisioning discrepancies or errors during refresh - Compass

let me know if you have more questions.