CyberArk SaaS Connector – Account disables successfully but entitlements not removed when last role is revoked

Hi all,

I’m working on the CyberArk Privilege Cloud Shared Services (SaaS) connector and have configured the following BeforeProvisioning event use cases for the source:

1. When the last entitlement is removed → disable the CyberArk account.

2. When the first entitlement is added → enable the CyberArk account (if currently disabled).

3. When the identity’s cloudLifecycleState = terminatedpost7d → remove all entitlements from the CyberArk account.

Entitlements in this source are directly linked with roles, meaning when a role is removed, its entitlement is automatically revoked from the identity.

However, I’m facing an issue:

• When I remove the role containing the last entitlement, the CyberArk account is successfully disabled, and the role is removed — but the entitlement remains on the account.

I have attached the event configuration in my current cloudServicesIDNSetup configuration.

Event configuration_cloudServicesIDNSetup.txt (2.2 KB)

Issue:
When the last role (and therefore the last entitlement) is removed:

• The CyberArk account gets disabled as expected.

• The role is removed successfully.

• But the entitlement remains on the CyberArk account instead of being revoked.

what’s the recommended way to ensure that the entitlement is also removed, would appreciate any guidance or examples from others who have faced similar issue.

Thanks!

Is the entitlement granted via Access Request? Or assigned via Birth right role?

Hi @iamology, it is granted via Access Request.

Entitlements granted via Access Request (generally called sticky entitlements) do not get removed by RemoveEntitlements. Try with RemoveStickyEntitlements option

{
     "Action": "RemoveStickyEntitlements",
     "Attribute": "groups",
     "Value": null
}

Also, make sure the SSI rule you have deployed has this option included