In our SB environment, several entitlement access requests have failed. During each refresh, ISC attempts to provision the same entitlement but fails with the same error. We are unable to cancel the request from the request catalog, as the request has already failed, and we cannot revoke it from the entitlement tab since it was never assigned to the user. How can we resolve this issue or cancel the request to stop the repeated reprovisioning attempts? Is resetting the entitlement the only solution?
Hi @sajjan_rashmi ,
Welcome to SailPoint Developer Community.
can you please tell, what’s the error you are seeing on the tenant for these entitlement requests?
Ideally, if there is any role with a criteria that satisfies the condition then SailPoint ISC will try to provision underlying access profiles/entitlements to the identity if they are not provisioned previously.
Check for the role which contains this entitlement or access profile that is being provisioned for that specific identity.
I hope this helps.
Thanks,
Vijay
We requested for the entitlement directly as part of testing and not through a role/Access Profile. The access request is failed due to some constraints at the application end. However, every time the refresh runs ISC tries to reprovision the entitlement as it was requested through ISC. We don’t want this reprovision to happen during every refresh.
I wanted to understand if there is anyway we can stop this reprovision from happening. We are unable to revoke the entitlement to stop this activity as it does not show up on the identity at all.
When access request is completed, were you able to see any error on the request once ISC sent the provision request to target? or does it show status as “Completed” without any error on the request?
Hi @sajjan_rashmi,
I believe resetting the source entitlements would be the solution here, since IDN would keep the user-entitlement mapping sticky as long as the entitlement exist in the system. When you reset and aggregate, the mapping should get removed as the entitlement ID gets updated.
Keep in mind, this would delete all of your access profiles associated with the source.
The request failed initially and keeps failing in every refresh.
@jesvin90 I was thinking the same as well. Thank you for confirming!