We’ve got ourselves into an interesting issue. Had an incident where a Role’s assignment criteria go mixed up which ended up creating many Google accounts for disabled identities. This was a human error and was corrected in 10 minutes. Our Google admin has removed super admin from our service account. In our environment we are not creating Google accounts. We only aggregate accounts and groups and provision users to Groups only. We’ve limited the Google Source Feature string to remove Provisioning so we don’t create accounts anymore but that is not enough for our Google admin. So we are trying to modify our config for our Google source to work without Super Admin. So, we removed the Role entitlement type and tried to delete the Role account attribute from the account schema but get a message:
Trace ID: 03a3dcd580854fed877454192ed10bdd
Details:
Unable to delete attribute "Roles" because it is referenced by "attribute sync configuration".
Referenced by internal schema property "Roles". Contact SailPoint.
Referenced by internal managed attribute "_USER_MANAGEMENT_ADMIN_ROLE". Contact SailPoint.
Referenced by internal managed attribute "Frontline IT Revised". Contact SailPoint.
Referenced by internal managed attribute "_GROUPS_READER_ROLE". Contact SailPoint.
Referenced by internal managed attribute "_GROUPS_ADMIN_ROLE". Contact SailPoint.
Referenced by internal managed attribute "_STORAGE_ADMIN_ROLE". Contact SailPoint.
Referenced by internal managed attribute "_PLAY_FOR_WORK_ADMIN_ROLE". Contact SailPoint.
Referenced by internal managed attribute "_SEED_ADMIN_ROLE". Contact SailPoint.
Referenced by internal managed attribute "_GROUPS_EDITOR_ROLE". Contact SailPoint.
Referenced by internal managed attribute "kconley-test". Contact SailPoint.
Referenced by internal managed attribute "_SERVICE_ADMIN_ROLE". Contact SailPoint.
Referenced by internal managed attribute "_HELP_DESK_ADMIN_ROLE". Contact SailPoint.
Do we literally need to open a Sailpoint ticket or is there another way we can remove these entitlements? We cannot complete an aggregation since we don’t have rights to roleAssignments in google api.
Any suggestions?
The only dreadful one we have is to create a new Google connector and setup from the start without the entitlement types for Roles and just leave Group. Then update all our Access Profiles with the new Source’s group entitlements.
Hey Krishna,
I’m not able to remove the Role attribute because there are managed attributes (entitlement objects of Type Role) that exist. As you can see in the error i posted, that is what i get if i try to remove the attribute “Role” from the account schema. I’ve already removed the entitlement type for Role. I think i first need to delete those individual entitlements but have no clue how i can delete entitlements.
If i use the API or UI to delete the attribute “Roles” from Google i get that same error in my OP.
I’ve even removed Entitlement from this attribute and that did nothing.
Oh, and in the error it mentions that it is referenced by “attribute sync configuration”. it is not. Attribute sync is not configured for this source.
That would probably work but then i need to update all Access profiles that contain Google Groups from this source. I really only want to delete entitlements of type Role. I’m really surprised this is not possible. Also after resetting, those next aggregations are new and take a very long time to complete.