Entitlement does not remove from IdentityCube and Role after entitlement deleted

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

8.4

Hi Expert,

Currently, in our environment, we have a quicklink form and workflow to handle entitlement deletion. Users interact with the quicklink by inputting the necessary data into the form, and the workflow performs the entitlement (AD security group) deletion in Active Directory.

Everything works fine for the workflow to delete the entitlement on the endpoint. However, when I check the role or identity, the entitlement still appears in the identity and role, even though it no longer exists in the entitlement catalog or on the endpoint.

Looking forward for everyone’s insight!

Here is some screenshots:

Before delete entitlement:

image
image1692×680 32.4 KB

After delete entitlement:

image
image1692×683 33.3 KB

2

Hi @Bernardc - You can remove the entitlement from the endpoint, but you will also need to remove the role from IIQ since it was assigned. Add that step to your workflow.

3

Hi Ryan,

Here is the things, in most cases, the role contain multiple entitlements and the role should be remain, just deleting the unwanted entitlement.

Regards,

Bernard Chiew

4

Are you running a targeted aggregation and refresh on the user with ‘refresh detected and assigned roles’?

5

Hi @ryan_toornburg ,

Yes, it is enabled.
image

Also, if I check in my role. I will still see the entitlement.

image
image2430×364 19.2 KB

6

Hi @ryan_toornburg ,

Yup… after group aggregation, the entitlement will disappear from identity cube. But still exist in role.

image
image1043×382 17.7 KB

7

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.