Business role with assignment rule assigned back after revoke in certification

Which IIQ version are you inquiring about?

sailpoint iiq 8.5

Hi All,

if any business role revoked as part of certification and that business role then it will getting assigned back to identity when new refresh is ruining.

Is there any way where we can make the config changes in iiq to avoid this situation.
Please help me to make the config change.

And also can we revoke 1 IT role, if multiple IT role associated with business role.

Thanks in advance.

Part 1: Business Role Re-assignment After Certification Revocation

When a Business Role is revoked via certification, IIQ triggers deprovisioning of that role and its associated IT roles/entitlements. The re-assignment on subsequent Identity Refresh occurs due to one of these conditions:

• Optimistic Provisioning is enabled — IIQ marks the provisioning as successful without confirming the connector actually removed it. The role remains on the identity cube. On next refresh with Provision Assignments checked, IIQ sees an active role assignment and re-provisions it.
• Application was unavailable during deprovisioning — the removal failed silently or was queued but not completed, leaving the role still attached to the identity.
• “Provision Assignments” checkbox is selected on the Identity Refresh task — this is the key trigger. If the role is still logically attached (due to either reason above), refresh treats it as a valid assignment and pushes it back.

Config fixes:

Part 2: Revoking One IT Role When Multiple IT Roles Are Attached to a Business Role

you cannot selectively revoke a single IT role from within a Business Role construct via certification**. Certification operates at the Business Role level; all associated IT roles are bundled.

The approach:

1. Revoke the Business Role from the identity via certification or lifecycle event
2. Modify the Business Role definition — remove the unwanted IT role, retain the required one
3. Re-assign the Business Role to the identity

This gives you the correct end state without leaving orphaned IT role assignments. There is no supported out-of-the-box mechanism to cherry-pick one IT role out of a Business Role for a specific identity without role restructuring.

Thanks for response Naveen, appreciate it.

Do i need to change workflow to set Optimistic Provisioning false?

yes, refresh task checkbox is getting back assigned the role.
i have do the testing in QA environment when i revoke the access from the certification, it had removed that role but when i run the refresh task its assigned back.

in assignment rule, we are using match list, based on match list attribute it getting assign back in refresh.

@Rana123H Optimistic Provisioning should not impact role removal. Normally business role removes immediately. Could you please do this, capture the identity xml of a user → revoke a role → capture the identity xml again.

For your second case, you should split your business roles into manageable chunks where you can remove any role easily during certification.

No, I said if the flag is set to true, In your case if the flag is not set to true, don’t do anything, there wont be any impact.

@Rana123H - it is possible that the business role is getting assigned due to the assignment rule? can you please share the bundle XML?

Hi @r_pragati ,

Here is bundle XML.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Bundle PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Bundle created="1720539677116" displayName="Mobile Developer" id="0a05661e904b1b578190982801bc7593" modified="1720539871422" name="Mobile Developer" type="business">
<Attributes>
<Map>
<entry key="accountSelectorRules"/>
<entry key="allowDuplicateAccounts" value="false"/>
<entry key="allowMultipleAssignments" value="false"/>
<entry key="mergeTemplates" value="false"/>
<entry key="qrgApplicationName"/>
<entry key="sysDescriptions">
<value>
<Map>
<entry key="en_US"/>
</Map>
</value>
</entry>
</Map>
</Attributes>
<Inheritance>
<Reference class="sailpoint.object.Bundle" id="0a05661f90131fa481901770e6e30622" name="Roles"/>
</Inheritance>
<Owner>
<Reference class="sailpoint.object.Identity" id="8a85e69f5bc47eac015bd99f2f196d23" name="IIQ-SystemAdministrator"/>
</Owner>
<Requirements>
<Reference class="sailpoint.object.Bundle" id="0a05661e904b1b578190982a29d7759e" name="ADSG-gAP-QRG-P-CASB-ZTNA-Streaming-External"/>
</Requirements>
<Selector>
<IdentitySelector>
<MatchExpression and="true">
<MatchTerm name="inactive" type="IdentityAttribute" value="False"/>
<MatchTerm name="jobCode" type="IdentityAttribute" value="US99013"/>
</MatchExpression>
</IdentitySelector>
</Selector>
</Bundle>

Does Identity match assignment criteria configured on Business role?

yes, its matched with assignment criteria

If Business role is assigned by Assignment criteria/rule and if we remove it by LCM access request, it does not come back on Identity because of negative assignment. Which means Removal of role by LCM request has higher priority than assignment criteria of business role. I am not sure what happens in case of role removal due to Certifications. Let me replicate this in my IIQ environment

@Rana123H Did you get a chance to review the identity xml before revoke vs after revoke? That’ll help us troubleshoot better.

If the identity selector criteria match, the role will be reassigned automatically. This is expected behavior. You should not certify access for these roles. Instead, configure a “Role Composition Certification” to periodically review the role assignment criteria and adjust it if needed.

For the current scenario, if only a handful of users are affected and you need to prevent the role from being assigned, you can add a negative=true flag to the role assignment in the identity XML.

  <AssignedRoles>
    <Reference class="sailpoint.object.Bundle" id="0a4111e586ff1dac818732d02e4b1498" name="XYX" nagative="true"/>
  </AssignedRoles>

@Rana123H

This is done by the logic in identity refresh to specifically ignore the role assignment with negative=“true”

Please check once below communication.

Role Composition review the entitlements. I don’t think it review the assignment logic.

yes @neel193 , i had checked. negative= true set after revocation.

@Rana123H purpose of negative=true is to block the automatic reassignment. So, when it assign back, flag remains or it get removed? could you please share the xmls here for review.

image (2)1681×685 59.9 KB

Hi @neel193 , please find the attached.
Flag get removed when it assign back.

@Rana123H LEt me try to recreate the scenario in my sandbox. Please confirm if these are the steps:

1. configure a role with assignment logic
2. assign it to a user
3. launch certification on the above configured role , that should include the user
4. revoke the access, that should remove role and set negative=true
5. refresh the user with options: Refresh assigned, detected roles and promote additional entitlements, Provision assignments
6. this should assign the role and remove the negative=true.

I had tested in QA environment and revoke the business role; it was revoked and also IT role and associated entitlement also revoke.
I have captured the identity xml before and after revoke, as already discussed i can see negative=true set after the revoke on identity profile.
I revoke I ran certification maintenance and role refresh task again, now role are not getting assign back even role has assignment rule.

can someone confirm negative=true prevent the assignment again if role is revoked as part of certification?

In which cases negative=true will not work when revoke happen?

Thanks in Advance

Harsh

Hi @neel193 ,
That’s correct steps.