Entitlement role relationship

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

We are currently using SailPoint IdentityIQ version 8.4.

In a scenario where an entitlement is part of a role (bundle), but the entitlement is no longer available or is no longer required(removed from spt_managed_attribute table), what will be the impact on the bundle_profile_relation table?

Specifically, will the entitlement still remain associated with the role, or will it be automatically removed?

2

The entitlement reference in bundle_profile_relation will not be automatically removed when the managed attribute is deleted from spt_managed_attribute.

IIQ does not enforce referential integrity at the DB level for this relationship, so the association remains intact. The role will continue to reference an entitlement that no longer exists as a managed attribute.

impact:

  • During provisioning, IIQ will attempt to evaluate or provision a non-existent entitlement, which can lead to inconsistencies.
  • During certification, the entitlement may appear with missing or unresolvable display metadata.
  • Role scoring and correlation may be affected since the entitlement can no longer be matched against identity attributes.

The stale association must be cleaned up manually — IIQ will not handle this automatically.

3

Welcome to the SailPoint Developer Community, Anubhav.

In IdentityIQ, removing an entitlement from the spt_managed_attribute table does not automatically remove its association from existing roles. The relationship stored in spt_bundle_profile_relation can remain until the role/profile is updated, refreshed, or cleaned up through role maintenance activities.

As a result, the role may still reference the entitlement even though the managed attribute no longer exists. It’s a good practice to review and update affected roles after removing entitlements to avoid orphaned references.

4

In IIQ 8.4, bundle_profile_relation is maintained by the Role‑Entitlement Associations feature and is automatically refreshed when role profile changes are made.
If an entitlement is removed only from spt_managed_attribute, the role can still keep a stale reference unless the bundle/profile itself is updated and the relation data is refreshed.
So, the entitlement is not guaranteed to be automatically removed from bundle_profile_relation just because the managed attribute row was deleted.
Best practice is to clean up the role profile and then run or allow the Role‑Entitlement Associations / BundleProfileRelation synchronizer to rebuild the correct mapping.

5

@avarshney9871 Please check this thread: AD entitlement OU update - IdentityIQ (IIQ) / IIQ Discussion and Questions - SailPoint Developer Community
We are discussing the similar thing over this thread as well.