Does adding a new entitlement to an existing Access Profile cause deprovisioning of existing access temporarily?


My understanding is that updates made to access profiles that are tied to roles do flow downstream to the target systems if the change is a net new addition of an entitlement. Please correct me if I’m wrong.

We’re seeing a client observe a behavior in production where upon updating an existing access profile to add a new entitlement, there was temporary revocation of existing access followed by re-provisioning of the existing access with the added entitlement. This access profile is tied to a role.

There was no change to the role membership criteria made, and there were no removal of entitlements from the access profile either. Also I believe removing entitlements from an access profile does not affect existing users with the entitlements assigned via the access profile (i.e. they do not get their entitlement revoked.) but please let me know if that’s incorrect.

Is there ever a scenario where changing an access profile tied to a role causes deprovisioning followed by re-provisioning of access?

As per my understanding it should not deprovision any access at all for changes to access profile. The same is mentioned in the documentation as well.

When you hit Apply Changes, you may have seen temporary de provisioning if you had some roles configured for those and they momentarily didn’t meet role criteria but they actually do and so system removes them and adds them again within fraction of time. A rare possibility but could happen.

If you are able to reproduce issue or seeing it happen often, do open a Support ticket to get this resolved for your tenant.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.