Entitlements Are Not Being Removed When a Business Role Is Auto Unassigned via an Assignment Rule

puppamReddy · September 17, 2024, 2:17pm

Hi All,

Issue: Birth Right Role is not working as expected via Assignment Rule.

When the condition for a birthright role matches via an assignment rule, the entitlement is correctly added to the user.

However, the entitlement is not being removed when the condition no longer matches the user.

This issue is occurring inconsistently for some users, for few users the entitlement is removed as expected, for other users, it is not removing entitlements even after the condition is no longer met.

Same functionally working fine in QA Environment.

We are using AD Groups to provision.

I have checked below points.

Refresh task check “Refresh assigned, detected roles and promote additional entitlements and Provision assignments”.
Unchecked "Refresh assigned and detected roles " in account aggregation task.
Entitlement is not added manually

Gares · September 17, 2024, 3:22pm

Hi @puppamReddy,

Can you provide us with more information about whether the AD provisioning of these memberships has been performed, if it has failed, or if it simply hasn’t been executed?

ashutosh08 · September 17, 2024, 3:29pm

Hi @puppamReddy,

Can you check the configuration in the Global Setting and see what the setting for below snapshot is.

Thanks

puppamReddy · September 17, 2024, 3:33pm

it’s not been executed.

I do not see any provisioning transaction for role removal.

Gares · September 17, 2024, 4:10pm

Within the Administrator Console, there should be a provisioning process for the application and the account for which you attempted to revoke membership. It should have the following characteristics:

puppamReddy · September 17, 2024, 5:03pm

Yes, I have checked, but I did not find any provisioning transactions related to the removal of this role.

puppamReddy · September 17, 2024, 5:07pm

vishal_kejriwal1 · September 17, 2024, 5:11pm

Did you check the xmls for the identity which is not working compared to which is working ? most the role assignment / entitlement assignment .

puppamReddy · September 17, 2024, 6:03pm

Just now I checked below observations

Working user have

Business role and It role
Under roleAssignments tag business role souce=Rule
RoleDetection tag I do see assignmentIds

Not working User
1.Only IT Role Under RoleDetection tag
2. RoleDetection tag I do not see assignmentIds

bhanuprakashkuruva · September 18, 2024, 4:14am

@puppamReddy

Besides all the above replies, can you also confirm that the group, whatever it is in the IT role, should not be requested manually by manager user access before, right?

bhanuprakashkuruva · September 18, 2024, 4:18am

If that is the case, I don’t think it will be removed because the manual request will come first priority and won’t remove the group from the user when the role is unassigned. The group will be removed only if you do remove requests from manage user access only.

system · November 17, 2024, 4:19am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Business Role Assignment Causing sticky attributeAssignments IIQ Discussion and Questions workflows , identityiq , provisioning , roles	5	323	May 13, 2024
Role Assignment Issue IIQ Discussion and Questions	9	2873	July 19, 2023
Role Entitlement Removal ISC Discussion and Questions identity-security-cloud , provisioning , roles , access-profiles , entitlements	16	782	September 28, 2024
Behavior of Removed Role in IdentityIQ IIQ Discussion and Questions identityiq , roles	5	161	November 2, 2024
Birthright role assignment rule not working IIQ Discussion and Questions	2	1518	July 19, 2023

Entitlements Are Not Being Removed When a Business Role Is Auto Unassigned via an Assignment Rule

Related topics