If you are using the services standard rule / before provisioning rule, you could disable account creations when the lifecycle state shouldn’t be creating accounts.
when life cycle change from phase1 to phase2 we are moving the account into disable OU after that all access/groups associated within the account are getting removed via workflow.
After that there are some groups are getting added in the profile few are related with script which has nothing to do with lifecycle state but there is one more group (Access Profile) which is getting assigned even though there is no criteria set in it.
is it possible that after moving the account into disable OU and workflow is removing all groups including birthright so sailpoint is not understanding here?
So let me try to summarize:
- New user gets created. Role with membership criteria and access profile is getting added to create AD account. LSC is Phase 1
- User is terminated. LCS changed to Phase 2. User is getting moved to disabled OU.
- Role is removed because user no longer meets criteria.
- AD groups are removed through workflow.
- New Access Profile is getting assigned which is triggering a new account to be created.
The new Access Profile is not part an assigned role and is not part of any LCS. Is this correct?
Is it possible that your script to add groups for Phase 2 is adding the same group in the Access Profile?
Does this Access Profile only have one entitlement?
The new Access Profile is not part an assigned role and is not part of any LCS. Is this correct? no, the access profile is part of birthright role but role is not getting assigned to account but access profile do getting assigned even though there is no criteria
Is it possible that your script to add groups for Phase 2 is adding the same group in the Access Profile? those group is not getting added as per LCS and they are not linked with any access profiles, its just a script that if any user completed the course SailPoint received that file in IQ server, read it and assigned the groups
Does this Access Profile only have one entitlement? yes
Hi Faizullah,
I think you may be seeing issue of Sticky Entitlement. Can you let us know if you have access request enabled and are requesting entitlement for the user ?
Thanks
Rakesh
yes access request is in enabled state for the access profile but not for entitlement.
I am thinking on the same lines as Rakesh. One of two things may be happening:
- The user has the group assignment in AD or is getting it from some external process - when this entitlement is aggregated in AD, if the Access Profile only has this one entitlement, the Access Profile will be “assigned” as the user already has the entitlements that are included.
or
- This entitlement was directly assigned by ISC at some point. If it is not requested to be removed it will persist and even be reassigned to the user if it is removed. If it is getting reassigned, after aggregation, the access profile will also be linked as the user meets the has the entitlement(s) included in the access profile.
those are getting assigned via script and but somewho sailpoint is not recognizing the account which is in disable OU because of that new account is getting created.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.