Through a Rule we delete “entitlement2” from “ITR 1”.
“entitlement2” disappears from ‘ITR 1’ but going to the profile of an identity to which ‘BR-IT’ is assigned we still find ‘entitlement2’ in the Entitlements list.
Ading to inspect the BR-IT → ITR 1 from GUI, “entitlement2” does not appear.
After the deletion we run the task “Propagate Role Change” and then an identity refresh.
The Global setting> IdentityIQ Congifuration> Roles> “Allow propagation of role changes” flag is enabled.
We noticed that, through the Rule, no “Role Change Event” is generated is that right? Could this be the problem?
Have any of you experienced this and found a solution?
as per my understanding your assumption is correct:
if no RoleChangeEvent is generated IIQ will not deprovision a single entitlement having been removed from the role profile(s).
Deprovisioning will happen if the role is de-assigned but if just the profile is changed, you’ll require a RoleChangeEvent.
Your code/rule would have to generate a RoleChangeEvent, this will trigger the deprovisioning (as desired) via Role Change Propagator.
Thanks Daniel, u centered the target! Your idea was one of our ideas, but it seems like a deep change to be instructed via Rule. Isn’t? Could we consider “safe” based on your experience?
please kindly have a look at the following class
doc/javadoc/sailpoint/api/RoleChangeAnalyzer.html
It’s officially documented and it seems that it may help you with your requirements.
Unfortunately I can’t test it atm but the docs are quite promising.
Thank you Daniel, I couldn’t find the documentation on RoleChangeAnalyzer you suggested.
But that’s OK,
we solved it by creating the two RuleChengeEvents in the Management Rule ourselves, which are necessary for the Propagate Rule Change task to notice the “change” and fix the situation in the identity as well.
One has to be created for the Business Rule and one for the IT Rule.
