Which IIQ version are you inquiring about?
8.3p4
We have a BusinessRule composed as follows:
BR-IT (Bundle)
- ITR 1 (Bundle)
- entitlement1
- entitlement2
Through a Rule we delete “entitlement2” from “ITR 1”.
“entitlement2” disappears from ‘ITR 1’ but going to the profile of an identity to which ‘BR-IT’ is assigned we still find ‘entitlement2’ in the Entitlements list.
Ading to inspect the BR-IT → ITR 1 from GUI, “entitlement2” does not appear.
After the deletion we run the task “Propagate Role Change” and then an identity refresh.
The Global setting> IdentityIQ Congifuration> Roles> “Allow propagation of role changes” flag is enabled.
We noticed that, through the Rule, no “Role Change Event” is generated is that right? Could this be the problem?
Have any of you experienced this and found a solution?
Hi @adolfotrinca,
the entitlement2, is assinged or detected on the identity?
Also, on the refresh, are marked or unmarked those flag?


Hi @adolfotrinca ,
as per my understanding your assumption is correct:
if no RoleChangeEvent is generated IIQ will not deprovision a single entitlement having been removed from the role profile(s).
Deprovisioning will happen if the role is de-assigned but if just the profile is changed, you’ll require a RoleChangeEvent.
Your code/rule would have to generate a RoleChangeEvent, this will trigger the deprovisioning (as desired) via Role Change Propagator.
Best regards,
Daniel
1 Like
Hello Emanuele, this is the situation:
The entitlement1 is assigned by role, the entitlement2 is detected but was assigned by role previous role modification.
The task is setted as:
Thanks
Thanks Daniel, u centered the target! Your idea was one of our ideas, but it seems like a deep change to be instructed via Rule. Isn’t? Could we consider “safe” based on your experience?
Thanks a lot
Hi @andreacressati ,
please kindly have a look at the following class
doc/javadoc/sailpoint/api/RoleChangeAnalyzer.html
It’s officially documented and it seems that it may help you with your requirements.
Unfortunately I can’t test it atm but the docs are quite promising.
Good luck!
BR, Daniel
Thank you Daniel, I couldn’t find the documentation on RoleChangeAnalyzer you suggested.
But that’s OK,
we solved it by creating the two RuleChengeEvents in the Management Rule ourselves, which are necessary for the Propagate Rule Change task to notice the “change” and fix the situation in the identity as well.
One has to be created for the Business Rule and one for the IT Rule.