Certification of Role not removing the Entitlement

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

8.5 p1

Share all details about your problem, including any error messages you may have received.

Targeted certification of a specific role.

In a targeted certification of a specific role, the certifier completed the review and selected “revoke” for certain roles. While the business role was removed as expected, the corresponding IT role remained assigned, which results in it still being detected. This behavior does not align with the intended outcome.

Expected behavior:
When a role is revoked, the associated IT role should also be deprovisioned. In this case, the role is configured in a 1:1 relationship with the IT role (i.e., one business role maps to one IT role), so revoking the role should automatically trigger removal of the linked IT role.

2

Hi @Gabriele,

Have you tried running an Identity Refresh after the certification was completed?

Sometimes the role and entitlement changes are not fully reflected until an Identity Refresh is run with options such as “Refresh assigned, detected roles and promote additional entitlements” and “Provision assignments” enabled.

3

Hi, yes and nothing changed

4

Hi @gabs , When a Business Role is removed from an identity in SailPoint IIQ, but the IT Role still remains, there can be a couple of scenarios explaining this behavior:

  • Scenario 1: The entitlement associated with the removed Business Role is also part of another IT Role already assigned to the identity. In this case, the entitlement is still valid through that IT Role, so neither the entitlement nor the IT Role gets removed.

  • Scenario 2: The entitlement was assigned to the identity before the IT Role was detected or linked. Later, SailPoint identifies the entitlement and maps it to an IT Role. Since the entitlement is the source, the IT Role becomes derived from it. Therefore, removing the Business Role does not remove the IT Role.

  • Note:
    In both cases, the IT Role cannot be removed directly because it is still justified by the entitlement. To remove the IT Role, the underlying entitlement must be removed first. Once the entitlement is removed, the IT Role will automatically be deprovisioned.

5

Yes, what Jaganmohan said is correct. However, there may be a way to resolve this issue. Let me try to recreate the same scenario in my environment, and I’ll come back with my findings.

6

Can you check whether this element exists in the Identity XML for both roles, especially the negative="true" attribute in the RoleAssignment entry?

<entry key="roleAssignments">
  <value>
    <List>
      <RoleAssignment assigner="spadmin" assignmentId="fea386ca3d804bf8862e8e8606ca0dde" date="1780569388285" negative="true" roleId="c0a8012f9b4a1e63819b4b92b3f10293" roleName="BR Accounting" source="Certification"/>
    </List>
  </value>
</entry>
7

@gabs If the business role is assigned from IIQ which assigned all IT roles and entitlements, in this case on removal it will remove these associations. If entitlement/s were assigned outside business roles, then it’ll not remove.

Another possible case, is same entitlements part of some other business role-it role association or IT role is part of shared across multipel business roles.

Could you please check and share the identity xml on which role is not properly removed.

8

Hi,

I have been focusing on finding duplicates, and looks like there was an IT role duplicated using the same entitlement.