Entitlements removed from an Access Profile not removed from identities that have the Access Profile

Hi all. As documented in https://documentation.sailpoint.com/saas/help/access/access-profiles.html, when entitlements are removed from an access profile, those entitlements are not removed from identities that currently have the access profile. Instead, the removed entitlements become independent entitlements for the identity, detached from the access profile.

The behavior we desire is automatic removal of entitlements from identities who have an access profile from which entitlements were removed. While we have a manual workaround to achieve this (bring up the entitlement, bring up the identities, and revoke one-by-one), it’s the automatic part we’re looking to achieve. I’m wondering if anyone else has experienced this and found a way to automate it.

Unfortunately there is no way to do automatic removal in a situation like this, would love to see if as a future feature enhancement.

I would recommend running a certification campaign via Search.

  1. Click on Search
  2. Click on Certification Campaign on left menu
  3. Click Identities
  4. Click All Identities Returned by a Query
  5. In query enter: “Access Profile Name”
  6. You should see a listing of Identities with that Access Profile, Click Certify These Identities.
  7. Click Refine Acces Items
  8. On the Entitlements tab, filter for the entitlement you removed, and then add that to the Campaign.
  9. Click Continue, then fill out the Campaign Details (I would recommend choosing an Individual for the Reviewer), Click Review Campaign
  10. Click Generate Campaign.

Then you will need to start the campaign, and have the Reviewer revoke the entitlement for all of the Identities.

This will be much quicker than doing them individually.

Some good news to share. Our product management team is aware of this particular challenge and is working on new functionality we believe will address the situation. As for a ballpark ETA, I’d say late Q2 timeframe. Keep in mind, SailPoint can never guarantee any time line estimates that are provided, but historically we have been pretty accurate so I’m optimistic. :slight_smile:

Per the advice of a trusted SailPoint services resource…

There is another way to achieve removal of entitlements from a role definition.

Let’s say you have a role definition as follows:

Role Name: R1

Entitlements: E1, E2, E3

If you want to drop the entitlement E3, following would be the steps.

Step 1:
Create another role as follows:

Role Name: R2

Entitlements: E1, E2

Step 2:
Assign this role to everyone who has the role R1.

Step 3:
Deprovision the role R1 for all identities who have the role R2. This has the effect of removing only the entitlement E3. The other entitlements are not removed because the users have the R2 role assigned.

Step 4:
Delete the role R1.


Yes Roles can be used, but entitlements can’t be assigned directly to Roles, you have to assign Access profiles to the Roles.

The original poster mentioned removing an Entitlement from an Access Profile. This makes the Roles approach more complex. Basically the original Access Profile would be assigned to Role1. Then create a new Access Profile which contains all the entitlements of the original Access Profile minus the entitlement you want to remove. Then assign that new Access profile to Role2.

After the removals occur, make sure to delete the original Access profile, or remove the entitlement from the original AP, and delete the new AP.

@patrick_daniels doesn’t the same thing happen with roles? I might be mis-remembering

Yes it’s my understanding that the removal of access rights from roles and access profiles does not remove the corresponding access assignments for users that have the role or access profile assigned.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.