Hello,
We requested some entitlements through the request center to provision AD accounts. The accounts have been provisioned, which corresponds to the expected result.
Then from the AD we revoked certain accesses, in particular those requested through the request center.
We noticed that ISC reprovisions the account with the revoked access.
I understand that for roles, as long as the identity matches the role criteria, ISC assigns access to it. However, for the entitlements, I don’t understand why ISC reprovisions the entitlements?
Even worse, we notice that if the AD account has been deleted, then IDN will recreate it just to re-provision it again.
We tested this behaviour on two different connectors entra Id and Active Directory
ISC will re-add the entitlement any other way you remove it. So if the account does not exist for the user, ISC would create the account and entitlement.
Access profiles are one way to handle this (as they are not sticky). Or make use of the workflows to revoke entitlements with an HTTP action during account moves or terminations.