Entitlement is getting added back even after role revocation

BhawnaAgrawal · April 24, 2025, 2:52pm

Hi Experts,

We have a requirement where we are removing requestable role via workflow and workflow triggers on Identity termination. We are observing that role and entitlement is getting revoked but at the same time entitlement got reassigned to user.

Any help on this issue is appreciated.

Thanks.

sidharth_tarlapally · April 24, 2025, 3:10pm

Hello @BhawnaAgrawal

The entitlement which is reassigned to the user , is this the part of the role ?
Is this entitlement previously assigned through “Entitlement request” and not through role ?

BhawnaAgrawal · April 24, 2025, 3:13pm

Entitlement reassigned is a part of role where role is requestable. Therefore role is removed via workflow. We could see event of role and entitlement revocation but also event is available for entitlemnet addition

suresh4iam · April 24, 2025, 3:14pm

You can check whether this could be due to Sticky Entitlements
And try Cert Campaign to remove the pending access items in the Workflow to handle such scenarios and see whether it helps. Refer here Workflow to remove ALL leavers' standing access

sidharth_tarlapally · April 24, 2025, 3:16pm

Is this entitlement previously assigned through “Entitlement request” and not through role ?

BhawnaAgrawal · April 24, 2025, 3:23pm

Entitlement is assigned through role request

Yeswgun · April 24, 2025, 3:37pm

Does the role have an Access Profile associated with the revoked entitlement OR its a Role to Ent direct mapping ? Does the identity have any other role or Access Profile that includes the same entitlement?

BhawnaAgrawal · April 24, 2025, 3:56pm

Role have direct mapping with entitlement and there is no other role or access profile with matching entitlement

sidharth_tarlapally · April 24, 2025, 4:02pm

@BhawnaAgrawal
Apologies if this is a dumb question — you mentioned that the role is requestable. Just to clarify, is the role being assigned to the user through the Request Center, or is it being provisioned via Role-Based Access?

BhawnaAgrawal · April 24, 2025, 4:06pm

role assigned via request center

sidharth_tarlapally · April 24, 2025, 4:14pm

@BhawnaAgrawal

Thank you for your prompt response.

Based on the current details, this does not appear to be related to a sticky entitlement or sticky role issue. As a general note, roles and entitlements assigned through the Request Center must be revoked either via API or through SailPoint certifications. Otherwise, they are likely to be re-provisioned automatically.

In this case, since we are using the API/Manage action within the workflow, it should ideally handle revocation correctly.

Would it be possible to review the re-entitlement addition event details? (Please ensure any sensitive data is masked.)

Also, a few quick clarifications:

Has the revocation been tested outside the workflow loop, for example through certifications?
Which specific action is being used in the workflow to handle the role revocation?

Appreciate your insights on this.

margocbain · April 25, 2025, 3:42pm

Hi Bhawna,
Can you share what app and what entitlement you’re seeing the issue on?
Some apps have entitlements which cannot be removed. As an example, AD cannot have ‘Domain Users’ removed, and Salesforce profiles must retain a value and cannot be set to null.

If this is the case with your app, even if the entitlement is removed (though, it will probably throw an error if you check the event logs), it will end up re-assigned at the next aggregation.

Lastly, can you confirm if you have any access profiles as part of your identity profile settings? This could be another cause for the entitlement being reassigned to the user.

Thanks,
Margo