Creation of duplicate accounts during Role Assignment

ismaelmoreno1 · June 15, 2022, 1:51pm

Hi all,

We are facing a account duplicated issue during Identity Refresh task.
This issue happens when identities accounts have been deleted due to identity change to leaver status. After that when identities are reactivated, Refresh task evaluate the assigned roles and two account request are generated with operation ‘Create’ : One account request based on assigned role and other account Request which we do not know why is generated.

The business role have a IT role as required and and IT role has AD application as target system

Any idea of this issue?

Thanks in advance,
Ismael

ismaelmoreno1 · June 16, 2022, 10:48am

Hi all,

Regarding to this issue. I ve noticed that,in the identity, roleAssignments entry keep the reference of the deleted account

  <entry key="roleAssignments">
    <value>
      <List>
        <RoleAssignment assigner="spadmin" assignmentId="2a8b725a3c274b069e924b6595117984" date="1655315559995" roleId="0a2680fd814d19c281816274f37c2120" roleName="ECI_BR_Rol AD base" source="LCM">
          <RoleTarget applicationId="0a2680f77d281464817d2f06f7ed0b0b" applicationName="AD" nativeIdentity="CN=usertest,OU=Server,DC=domain,DC=corp"/>
        </RoleAssignment>
      </List>
    </value>
  </entry>

Is the are any way to remove this reference when account is removed?. I afraid that this reference is causing the duplicated operation of Create

mohammed_mudhir · July 2, 2022, 12:43am

Did you find a solution to this? My thought would be to add a step in the leaver process to deassign / remove the roles.
I’m just wondering were the accounts deleted by SailPoint our outside?

ismaelmoreno1 · August 4, 2022, 2:55pm

Hi @mohammed_mudhir ,

After analysis we detected that this issue was caused during refresh task with following options selected

Refresh identity attributes
Refresh assigned, detected roles and promote additional entitlements
Provision assignments
Synchronize attributes
Refresh assigned scope
Process events
Enable partitioning

We noticed that when Synchronize attributes and Provision assignments options are selected in the same task, both options are in conflict, so, we removed Refresh assigned and Provision assignments options from this refresh task and we created another refresh task only with these options

Topic		Replies	Views
Old entitlements are added back after Refresh IIQ Discussion and Questions identityiq	3	1254	August 8, 2023
How to enable "Provision Assignments refresh option" IIQ Discussion and Questions identityiq , provisioning	9	359	December 8, 2023
Role Assignment Question IIQ Discussion and Questions	5	2606	July 19, 2023
Even after successful provisioning Create Account Operations are triggered ISC Discussion and Questions	12	4745	July 19, 2023
Sequential Provisioning Discussion ISC Discussion and Questions identity-security-cloud , provisioning	7	251	January 21, 2024

Creation of duplicate accounts during Role Assignment

Related Topics