Best Practices: Updating Roles Already Assigned to Users (Removing Entitlements)

When a role is assigned to users, and the underlying access profiles were edited to revoke one or more entitlements tied to them, it does not revoke the entitlements from existing users.

But consider a scenario where you’re expected to keep role updates synced with both, new users acquiring the role and also any existing users who have already been provisioned a role. So, someone who already has the role assigned should no longer have access to the entitlement that was unlinked from the Role (Access Profile within the Role).

Is there an automated recommendation around how to go about this scenario?
A certification of access might be one way to address this, and some ideas around a REST API based custom solution come to mind. Another idea is to create a new copy of the role, but without the entitlements to remove, and assign it to the same user set; followed by revoking the older role which causes deprovisioning of the delta access.
Is there a cleaner and more streamlined way you can think of doing this?

Sailpoint best pratice is this method as you say : “create a new copy of the role, but without the entitlements to remove, and assign it to the same user set; followed by revoking the older role which causes deprovisioning of the delta access.”

If your role have a memberShip criteria you can change this criteria and if user doesn’t meet criteria IDN will do automatically delta deprovisoning.

Thanks @ondiaye for your inputs! Is there a document you can refer me to for this?

@sushant1 as you can see here :

587×609 38.3 KB

I have notice during my IdentityNow Essentials course

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.