Can we delete managed attributes/entitlements manually?

kirkkenton · October 25, 2023, 11:39pm

We’ve got ourselves into an interesting issue. Had an incident where a Role’s assignment criteria go mixed up which ended up creating many Google accounts for disabled identities. This was a human error and was corrected in 10 minutes. Our Google admin has removed super admin from our service account. In our environment we are not creating Google accounts. We only aggregate accounts and groups and provision users to Groups only. We’ve limited the Google Source Feature string to remove Provisioning so we don’t create accounts anymore but that is not enough for our Google admin. So we are trying to modify our config for our Google source to work without Super Admin. So, we removed the Role entitlement type and tried to delete the Role account attribute from the account schema but get a message:

Trace ID: 03a3dcd580854fed877454192ed10bdd
Details:
Unable to delete attribute "Roles" because it is referenced by  "attribute sync configuration".
Referenced by internal schema property "Roles". Contact SailPoint.
Referenced by internal managed attribute "_USER_MANAGEMENT_ADMIN_ROLE". Contact SailPoint.
Referenced by internal managed attribute "Frontline IT Revised". Contact SailPoint.
Referenced by internal managed attribute "_GROUPS_READER_ROLE". Contact SailPoint.
Referenced by internal managed attribute "_GROUPS_ADMIN_ROLE". Contact SailPoint.
Referenced by internal managed attribute "_STORAGE_ADMIN_ROLE". Contact SailPoint.
Referenced by internal managed attribute "_PLAY_FOR_WORK_ADMIN_ROLE". Contact SailPoint.
Referenced by internal managed attribute "_SEED_ADMIN_ROLE". Contact SailPoint.
Referenced by internal managed attribute "_GROUPS_EDITOR_ROLE". Contact SailPoint.
Referenced by internal managed attribute "kconley-test". Contact SailPoint.
Referenced by internal managed attribute "_SERVICE_ADMIN_ROLE". Contact SailPoint.
Referenced by internal managed attribute "_HELP_DESK_ADMIN_ROLE". Contact SailPoint.

Do we literally need to open a Sailpoint ticket or is there another way we can remove these entitlements? We cannot complete an aggregation since we don’t have rights to roleAssignments in google api.

Any suggestions?

The only dreadful one we have is to create a new Google connector and setup from the start without the entitlement types for Roles and just leave Group. Then update all our Access Profiles with the new Source’s group entitlements.

KRM7 · October 26, 2023, 7:20am

Hi Kirk,

Welcome to SailPoint Developer community.

You can remove them from your existing source, no need to create new one. Make use of APIs to do that.

You can list all schemas in Source,
GET: v3/sources/:sourceId/schemas

Delete schema (Group object) which you don’t need anymore
DELETE: v3/sources/:sourceId/schemas/:schemaId

Update account schema attributes
PUT: v3/sources/:sourceId/schemas/:schemaId

We also experienced this reference errors.

Thanks
Krish

kirkkenton · November 3, 2023, 9:48pm

Hey Krishna,
I’m not able to remove the Role attribute because there are managed attributes (entitlement objects of Type Role) that exist. As you can see in the error i posted, that is what i get if i try to remove the attribute “Role” from the account schema. I’ve already removed the entitlement type for Role. I think i first need to delete those individual entitlements but have no clue how i can delete entitlements.

If i use the API or UI to delete the attribute “Roles” from Google i get that same error in my OP.

I’ve even removed Entitlement from this attribute and that did nothing.

Oh, and in the error it mentions that it is referenced by “attribute sync configuration”. it is not. Attribute sync is not configured for this source.

KRM7 · November 4, 2023, 10:02am

API for resetting a source (remove accounts and entitlements).

POST {{api-url}}/cc/api/source/reset/:id

where the id in the endpoint call is the source id that you see in IDN URL when you’ve clicked into the specific Source in the UI (example : 12345):

kirkkenton · November 6, 2023, 4:11pm

That would probably work but then i need to update all Access profiles that contain Google Groups from this source. I really only want to delete entitlements of type Role. I’m really surprised this is not possible. Also after resetting, those next aggregations are new and take a very long time to complete.

KRM7 · November 12, 2023, 8:33pm

Did you try to remove the Group object in schema list

kirkkenton · November 17, 2023, 3:51pm

You cannot delete anything if objects exist of that entitlement type.

We ended up having to Reset the connector to delete all accounts, entitlements and access profiles. Kind of sucked but no other solution.

Topic		Replies	Views
Webservices Connector Account Attribute Promoted As Entitlement - Deletion Issue ISC Discussion and Questions webservice-connector , identity-security-cloud	3	74	January 20, 2025
Remove Entitlement from Source (Application) ISC Discussion and Questions identity-security-cloud , connectors , entitlements , sources	22	210	March 19, 2026
Entitlements not removed after onboarding ISC Discussion and Questions identity-security-cloud	7	83	April 15, 2026
Remove One Source Entitlement ISC Discussion and Questions identity-security-cloud , entitlements	3	90	July 18, 2025
Unable to Delete the account ISC Discussion and Questions webservice-connector , identity-security-cloud , entitlements	8	204	October 26, 2025

Can we delete managed attributes/entitlements manually?

Related topics