Share all details about your problem, including any error messages you may have received.
Hello,
I’m doing some tests with Roles, where I created a Business Role with a matching list for an attribute of the Identities. This Business Role has a Required IT Role with an entitlement.
The Role was correctly assigned to the Identities with the matching attribute.
I also tested removing the Role through access requests, which also correctly removed the Role.
My doubt is why isn’t the Role being assigned to the Identity again?
The Identity still has the attribute that matches the Role. Shouldn’t the Role be assigned again after the Identity refresh? Does IdentityIQ have a way of handling these cases that I might be missing?
yes this is the normal behavior. Sp check if is present a removal request on roles and dont reassing the role.
Otherwise, you can enter in a infinite loop reassing-remove.
Requests have higher priority than the automatic assignation. Generally, the manual action, in SP have an higher priority like this case or manually correlation.
To reassing the role there are 3 case:
Make a requet to assing the role
Delete the request(and the own history) on the identity
Identity attribute change that meet the requirements of the role
Yes, it is expected behavior only. Once you remove the role explicitly through Manage User Access, then SailPoint will add one entry called nagative=“true” to the RoleAssignement. Which means don’t assign it even if the matchlist is matched. So for that, what you have to do in case you want to assign it again is, remove the entry from the identity and run the refresh task with the assigned option, then a role will be assigned. Make sure the match list should be matched.
In the scenario I created, the entitlement associated with the IT Role is from AD. If this group is removed in AD, after the aggregation, does the user lose the entitlement?
Would refreshing the Identity reassign the entitlement?
Here, what happens if you delete the group from AD. And, run the refresh after group aggregation. SailPoint won’t do anything because whatever the group you specified in the role is still there on the account, right. So SailPoint won’t reassign it. It will assign only if the group is not there.
Once account aggregation runs, then the group will be removed from the account. So in the next refresh, SailPoint will try to reassign it. It will show things like provisioning requests and role changes for the user in task results.
.