During certification , an Ad entitlement allowed for two days and after two days it is removed sutomatically.Then it is added through AD.After a fews days back , it is again removed automatically.was it right ?
Hi @ksuneeth85 - could you explain more about the behavior here?
IF the entitlement was approved by the reviewer and it got removed post that?? you will have to check the transaction log for that particular user, where it was removed b by certfication. Can you check the provisioning transaction put the identity and source as certfication?? if this is what your query??
Hi @ksuneeth85 - Could please elaborate your query.
@ksuneeth85 Is it happening for one time, i meant.. if after auto removal post 2 days, if AD group is assigned outside IIQ, then IIQ removes it.. but if you add it back, then also it removes?
Also, after first removal, could you please check the user in debug and look out for MitigationExpirations entry and please share that details here. It stores the info about when the mitigation will expire and what action you have set.
Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(
,
, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
1768845861135
ABC
I have checked the mitigation expiration and it has old sunset date still. Scenario is this, manager allowed one group for jan19 during certification.So on jan 19 the group is removed automatically since we have chosen deprovision of allowed item. Then on jan 20 , the AD group is added through AD backend. All are working so well. On feb 11 , some how , the same access is group removed. Here is the provisioning transaction
<?xml version='1.0' encoding='UTF-8'?> true<MitigationExpiration action="NOTHING" comments="remove" created="1766168408328" expiration="1768845861135" id="a8424bd49b171821819b37d731083e53" lastActionDate="1768928400926" modified="1768928400955" significantModified="1768928400955">
<ActionParameters>
<Map>
<entry key="sunset">
<value>
<Date>1768845861135</Date>
</value>
</entry>
</Map>
</ActionParameters>
<CertifiableDescriptor>
<EntitlementSnapshot application="Active Directory" displayName="ertttt" nativeIdentity="CN=xxxx">
<Attributes>
<Map>
<entry key="memberOf" value="CN=group1"/>
</Map>
</Attributes>
</EntitlementSnapshot>
</CertifiableDescriptor>
<CertificationLink completed="1766168312548" id="a8424bd59b17189c819b30cef4ef766a" identitySnapshotId="a8424bd59b17189c819b2f4fd80479cf" modified="1766168312554" type="Identity">
<Certifiers>
<String>ABC</String>
</Certifiers>
</CertificationLink>
<IdentityRef>
<Reference class="sailpoint.object.Identity" id="28c2d22957afba250157b0021bba07ed" name="xyz"/>
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningTransaction PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningTransaction accountDisplayName="xyz" applicationName="Active Directory" created="1770761419155" id="a8424bd59c371de5819c499af99302a5" identityDisplayName="dipslayname" identityName="xyz" integration="Active Directory" modified="1770761419164" name="1111111" nativeIdentity="CN=xxxx" operation="Modify" significantModified="1770761419164" source="LCM" status="Success" type="Auto">
<Attributes>
<Map>
<entry key="request">
<value>
<AccountRequest application="Active Directory" nativeIdentity="CN=xxxx" op="Modify" targetIntegration="Active Directory" trackingId="544ab14f2cbc4a18b098025ab1e296bb">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="a8424bd59c371de5819c499af99302a5"/>
</Map>
</Attributes>
<AttributeRequest name="memberOf" op="Remove" trackingId="544ab14f2cbc4a18b098025ab1e296bb" value="CN=group1">
<Attributes>
<Map>
<entry key="assignment" value="true"/>
<entry key="preferRemoveOverRetain">
<value>
<Boolean>true</Boolean>
</value>
</entry>
</Map>
</Attributes>
</AttributeRequest>
<ProvisioningResult status="committed"/>
</AccountRequest>
</value>
</entry>
</Map>
</Attributes>
</ProvisioningTransaction>
@ksuneeth85 How did you relate that the 2nd removal on Feb 11 is due to the Certification Mitigation? Source is marked as LCM, if it’s Certification remidiation it should be marked as Certification.
Could you please check your Production in case it is removed due to some other modules like, custom task, events, etc.
No Sir.That i have tested that in lab enviornment. The Source is coming as LCM for mitigaton removal as part of certification.This is another user , i have tested.
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE ProvisioningTransaction PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<ProvisioningTransaction accountDisplayName="ssss" applicationName="Active Directory" created="1771593164999" id="a8427b269c581053819c7b2e68c731f4" identityDisplayName="My Name" identityName="ssss" integration="Active Directory" modified="1771593165018" name="0000538242" nativeIdentity="CN=AD" operation="Modify" significantModified="1771593165018" source="LCM" status="Success" type="Auto">
<Attributes>
<Map>
<entry key="request">
<value>
<AccountRequest application="Active Directory" nativeIdentity="CN=AD" op="Modify" targetIntegration="Active Directory">
<Attributes>
<Map>
<entry key="provisioningTransactionId" value="a8427b269c581053819c7b2e68c731f4"/>
</Map>
</Attributes>
<AttributeRequest name="memberOf" op="Remove" value="CN=group1">
<Attributes>
<Map>
<entry key="assignment" value="true"/>
</Map>
</Attributes>
</AttributeRequest>
<ProvisioningResult status="committed"/>
</AccountRequest>
</value>
</entry>
</Map>
</Attributes>
</ProvisioningTransaction>
one more thing i have observed, it is creating a new attribute assignment with end date for the items which is allowed for a future date during certification
<AttributeAssignment applicationId=“a8427b358e7b1649818e84ebfafc5541” applicationName=“xyz” assigner=“spadmin” endDate=“1771528089604” name=“memberOf” nativeIdentity=“abc” source=“Certification”…
@ksuneeth85 Let’s connect over call to discuss more about this. Please let me know when and how to connect (need to figure out, may be via Teams).