Hi all,
We are facing a account duplicated issue during Identity Refresh task.
This issue happens when identities accounts have been deleted due to identity change to leaver status. After that when identities are reactivated, Refresh task evaluate the assigned roles and two account request are generated with operation ‘Create’ : One account request based on assigned role and other account Request which we do not know why is generated.
The business role have a IT role as required and and IT role has AD application as target system
Any idea of this issue?
Thanks in advance,
Ismael
Hi all,
Regarding to this issue. I ve noticed that,in the identity, roleAssignments entry keep the reference of the deleted account
<entry key="roleAssignments">
<value>
<List>
<RoleAssignment assigner="spadmin" assignmentId="2a8b725a3c274b069e924b6595117984" date="1655315559995" roleId="0a2680fd814d19c281816274f37c2120" roleName="ECI_BR_Rol AD base" source="LCM">
<RoleTarget applicationId="0a2680f77d281464817d2f06f7ed0b0b" applicationName="AD" nativeIdentity="CN=usertest,OU=Server,DC=domain,DC=corp"/>
</RoleAssignment>
</List>
</value>
</entry>
Is the are any way to remove this reference when account is removed?. I afraid that this reference is causing the duplicated operation of Create
Did you find a solution to this? My thought would be to add a step in the leaver process to deassign / remove the roles.
I’m just wondering were the accounts deleted by SailPoint our outside?
Hi @mohammed_mudhir ,
After analysis we detected that this issue was caused during refresh task with following options selected
- Refresh identity attributes
- Refresh assigned, detected roles and promote additional entitlements
- Provision assignments
- Synchronize attributes
- Refresh assigned scope
- Process events
- Enable partitioning
We noticed that when Synchronize attributes and Provision assignments options are selected in the same task, both options are in conflict, so, we removed Refresh assigned and Provision assignments options from this refresh task and we created another refresh task only with these options