Entitlements Not Removed After User Termination – Clean up Best Practices

Which IIQ version are you inquiring about?

8.3p5

Share all details about your problem, including any error messages you may have received.

Hi all,
We’re currently using SailPoint IdentityIQ version 8.3p5, and I’ve noticed a recurring issue: when an identity leaves the organization, their accounts are properly disabled, and roles are removed, but some entitlements from various applications still remain linked to the identity.

I’m trying to understand:

• Why are these entitlements not being removed as part of the deprovisioning process?
• What’s the best way to investigate the root cause (e.g., logs, provisioning policies, workflows)?
• Are there any recommended and efficient approaches to clean up such stale entitlements (e.g., BeanShell script, lifecycle event, rule, or batch request)?
• How does your organization handle post-termination entitlement clean up in a scalable way?

Any guidance or best practices from the community would be greatly appreciated. Thanks!

Hi @KaranGulati25 ,

Additional entitlements are not removed during the leaver process. These are entitlements not detected from IT roles within the business role.

You can view these additional entitlements by enabling the appropriate options under the Entitlements tab.

image1174×123 11.6 KB

identity.getExceptions(); // returns the additional entitlement of the identity

Hi @Arun-Kumar, thank you for your reply. Are these additional entitlements nothing but entitlements that are not managed by SailPoint?

Hi @KaranGulati25 ,

These additional entitlements are not provisioned by SailPoint and are not associated with any IT role. They are directly present on the user account.

image394×351 13.7 KB

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.