Please share any images or screenshots, if relevant.
Hello Experts,
We are observing the weird behavior in our environment for few hundreds of users for one of the business role. What is happening all these users are terminated and inactive but still on the identity we can see these assigned business roles without entitlements and without any detected roles. We checked the assignment criteria for this roles and its clearly these user are not following under it.
To clean up this we tried to run the refresh identity cube task with
Refresh assigned, detected roles and promote additional entitlements
Provision assignments
Task is executing successfully without any issue or any changes on the identity. I am suspecting that these are the too old identities and somewhere data or mapping is corrupted or something else.
Any insights on this area would be really appreciate.
when an identity is inactive = true , IIQ will not evaluate it anymore until that flag is false or removed . you might need to change the logic for inactive and add something like assignedRole == null , then if that condition is meet you can set that to true. I think this happens because of how IIQ tracks active license users in the system.
Here’s a solution based on tasks that you can try.
I suggest you check the following:
In the “Refresh Identity Cube” task, is the “Exclude inactive identities” option unchecked? If so, inactive identities are ignored.
Next, I suggest you run the “Perform Identity Request Maintenance” task, which will force the status update in the identity cube, with the option “ Verify provisioning for requests” checked.
Finally, the “Remove Orphan Role Requests” task will pause and delete role requests that no longer exist in the system. Even if the role exists, the assignment itself might be considered orphaned following a deactivation request.
that’s interesting because this part of the product is well tested and usually works exactly as expected.
First of all please make sure that the identities in scope are actually picked up by the Identity Refresh task you are executing.
Can you please confirm that the “lastRefresh” timestamp is actually updated?
In order to track this down please choose a single identity and refresh just this one to see if that changes anything.
If this still does not reveal any insights we have to enable logging to exactly know what the Identity Refresh is doing (or not).
Just so be sure: would you be able to share the assignment rule?
Yes, i am using just single identity to troubleshoot this problem. Yes, when i ran the refresh for this user timestamp is getting updated.
Strange part is, only assigned role is there on the identity, no IT role no entitlement. I have attached the identity for one user it may help to get some clue.
In order to have the Identity Refresh to look into a rule-based assignment it requires a RoleAssignment entry with sourc=“Rule”.
Otherwise the Cube Refresh will not “see” the Role.
Just having the pure reference under AssignedRoles is not enough.
You should be able to verify that by checking other cubes with valid rule-based assigned roles.
Unfortunately I cannot tell you why the cube is in that state, however it seems to me that this is not a valid state.
Maybe you will be able to remember any activity which could have caused that issue.
Also in the past there were some bugs which removed the “source=“Rule”” from the cubes but this is quite a while ago and you would have discovered this during regression testing (I hope so).
hmm , check the setting for Role configuration on business roles and IT Roles , it should just work out of the box really. can you compare your environments as well. is it the same behavior ?
Nope, this is happening only for prod environment. Even it is not constant for all users, for majority of the users its working fine but few are in this state.
We have very simple assignment logic for this role, populating population if the user is having xyzzy application. All the users are from this population is eligible for this business role.
I’ve encountered similar issue during one of my bug report and while going through the log report I found out that there is a refresh role task being performed at mid night and post that task the Business Role used to be behaving weird. Then we have excluded few business roles from that task.
I suggest if you can find the log report timing and any parallel event occurred during that time stamp can find the cause of this issue.
