By eliminating an entitlements (via rule) this persists in the entitlements of the identities

Which IIQ version are you inquiring about?

8.3p4

We have a BusinessRule composed as follows:

BR-IT (Bundle)
- ITR 1 (Bundle)
- entitlement1
- entitlement2

Through a Rule we delete “entitlement2” from “ITR 1”.
“entitlement2” disappears from ‘ITR 1’ but going to the profile of an identity to which ‘BR-IT’ is assigned we still find ‘entitlement2’ in the Entitlements list.

Ading to inspect the BR-IT → ITR 1 from GUI, “entitlement2” does not appear.

After the deletion we run the task “Propagate Role Change” and then an identity refresh.

The Global setting> IdentityIQ Congifuration> Roles> “Allow propagation of role changes” flag is enabled.

We noticed that, through the Rule, no “Role Change Event” is generated is that right? Could this be the problem?

Have any of you experienced this and found a solution?

Hi @adolfotrinca,

the entitlement2, is assinged or detected on the identity?

Also, on the refresh, are marked or unmarked those flag?
image
image

Hi @adolfotrinca ,

as per my understanding your assumption is correct:
if no RoleChangeEvent is generated IIQ will not deprovision a single entitlement having been removed from the role profile(s).
Deprovisioning will happen if the role is de-assigned but if just the profile is changed, you’ll require a RoleChangeEvent.

Your code/rule would have to generate a RoleChangeEvent, this will trigger the deprovisioning (as desired) via Role Change Propagator.

Best regards,
Daniel

1 Like

Hello Emanuele, this is the situation:

The entitlement1 is assigned by role, the entitlement2 is detected but was assigned by role previous role modification.
The task is setted as:

Thanks

Thanks Daniel, u centered the target! Your idea was one of our ideas, but it seems like a deep change to be instructed via Rule. Isn’t? Could we consider “safe” based on your experience?

Thanks a lot

Hi @andreacressati ,

please kindly have a look at the following class
doc/javadoc/sailpoint/api/RoleChangeAnalyzer.html

It’s officially documented and it seems that it may help you with your requirements.
Unfortunately I can’t test it atm but the docs are quite promising.

Good luck!

BR, Daniel

Thank you Daniel, I couldn’t find the documentation on RoleChangeAnalyzer you suggested.

But that’s OK,
we solved it by creating the two RuleChengeEvents in the Management Rule ourselves, which are necessary for the Propagate Rule Change task to notice the “change” and fix the situation in the identity as well.

One has to be created for the Business Rule and one for the IT Rule.