Certification has a label as "Item is revoked but has not been removed"

Which IIQ version are you inquiring about?

8.X

Please share any images or screenshots, if relevant.

Share all details related to your problem, including any error messages you may have received.

Hi all,

we are seeing a label as “Item is revoked but has not been removed” under the certification item. Is this because of any manual deprovisioning action to be undertaken? Any suggestions?

Regards,
Rabin

This generally comes when the close loop is not completed .

For example let say you are doing certification on disconnected application and as part of access review system created a manual workitem and if someone takes action and new file is not reconcilled . Then this message will be visible .

1 Like

Hi @rabshrestha

As certification is a snapshot in time, If the aggregation/remediation scan is not completed within the revocation period, that explains why the status would still have that in the certification. so the conditions which exist during the timing of the certification are the only considered state.

If aggregation/remediation scan happen outside the timing on the certification, the certification will not be updated any further.

You can verify what you have set for this scan interval by going to the Configuration->System Configuration and seeing what is set for remediationScanInterval . The default is 1x a day

for detailed conversation about similar issue, please go through this conversation: https://community.sailpoint.com/t5/IdentityIQ-Forum/IIQ-certification-question-around-Item-was-revoked-but-has-not/m-p/243663

Hope that helps.

Thanks

1 Like

Hi @rabshrestha

If the above information helped for your question, please accept it as solution for the thread. so it will be helpful for others and the issue will be closed.

Thanks

@rabshrestha ,
Hope your issue is resolved .

Thank you Vishal and Sri for your comments.

A quick info I need is for the events that appear under the Events → Identity Events as follows:

Does such event populate here any time the manual provisioning is required? Any understanding on this behavior will be really helpful.

Hi @rabshrestha

All events related to the identity appears here either they are from manual fulfilment or automated LCM Events

Thanks

Actually, I am seeing an unusual behavior with a JDBC Connector for which no provisioning rule/policy is defined nor any integration config for manual workitem fulfilment in our IIQ instance. I am unsure how certification revocation would even work in this case and I was thinking that this is why we are seeing “the Item is revoked but has not been removed” label.

1 Like