Which IIQ version are you inquiring about?
8.3p4
Hi Community,
We observed a case where an IT role was assigned to a user directly from Active Directory, without any intervention from SailPoint.
My Question:Could you confirm whether such an IT role behaves the same way as roles that are manually assigned through the Manage User Access tab?
Basically IT roles are detected roles. During Refresh, when sailpoint finds an identity which has all the entitlements which are matching to any IT role in system, it automatically tags the IT role along with identity.
And the roles which you generally assign from Manage User Access tab are business roles which are otherwise called Assigned Roles.
If you check any identity in entitlements tab, roles are differentiated with tags as assigned and detected in column named acquired
Hi @kallajayaram ,
If AD entitlement is assigned to user is part of IT role, then that IT role is added to user without explicitly requesting it.
@kallajayaram This is a default behaviour of IIQ as explained by @tharshith .
If you want to disable this behaviour, you can go to Global Setting s→ Role → IT and check this option: “No automatic detection with profiles unless assigned” This will disable detecting roles if they are not assigned via Business roles.
Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(
,
, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
Thank you @neel193 , @mandarsane and @tharshith
Thank you for the clarification. I was able to understand the behavior now.
Detected roles are automatically identified based on existing entitlements rather than being explicitly assigned. They do not behave the same as assigned roles because they do not trigger provisioning at the target system.
Because of this, removing a detected role itself does not revoke access; the underlying entitlements must be removed. This can sometimes lead to confusion during certifications, repeated detection after aggregation, or policy violations when certain entitlement combinations are present.
Hi @kallajayaram ,
I think, as per your explanation, it looks like the roles are not configured properly. Check the IT role and Business role metadata configuration. IT roles shouldn’t be assigned; perhaps check if there’s any internal process making them explicitly assigned using any code!
Thanks,
PVR.