Filter reason "does not exist"

a0543124 · October 7, 2025, 2:58pm

Which IIQ version are you inquiring about?

8.4

For some groups, owners tried to remove their members from the AD Group after clicking, there is no error in the UI, but while looking back to their group description, users aren’t removed.

   XML Objects : <ProvisioningProject identity="aXXXXXXX">
   <Attributes>
   <Map>
   <entry key="doRefresh">
   <value>
   <Boolean>true</Boolean>
   </value>
   </entry>
   </Map>
   </Attributes>
   <ExpansionItems>
   <ExpansionItem application="ENT AD Groups"       cause="ProvisioningPolicy" name="memberOf"       nativeIdentity="CN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"       operation="Add" sourceInfo="ENT AD Groups"       value="CN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"/>
   <Filtered>
   <AccountRequest application="ENT AD Groups"       nativeIdentity="CN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"       op="Modify">
   <Attributes>
   <Map>
   <entry key="logged" value="true"/>
   <entry key="userName" value="axxxxxxx"/>
   </Map>
   </Attributes>
   <AttributeRequest name="memberOf" op="Remove"       value="cn=xxxxxxxxxx,OU=xxxxxxxxxxx,OU=xxxxxxxxxxx,OU=xxxxxx,DC=xxx,DC=xx,DC=xx">
   <Attributes>
   <Map>
   <entry key="assignment" value="true"/>
   <entry key="reason">
   <value>
   <FilterReason>DoesNotExist</FilterReason>
   </value>
   </entry>
   </Map>
   </Attributes>
   </AttributeRequest>
   <AttributeRequest name="memberOf" op="Add">
   <Attributes>
   <Map>
   <entry key="reason">
   <value>
   <FilterReason>Exists</FilterReason>
   </value>
   </entry>
   </Map>
   </Attributes>
   <Value>
   <List>
   <String>CN=xxxxxxxx,OU=xxxxxxx,OU=xxxxxxxxx,OU=xxxxxxx,DC=xxxx,DC=xxxxx,DC=com</String>
   <String>CN=xxxxxxx,OU=xxxxxx,OU=xxxxxx Team,OU=IT       Services,DC=xxxxx,DC=xxxxxx,DC=com</String>
   <String>CN=xxxxxxx,OU=xxxx,OU=Data       Analytics,OU=xxxxx,DC=xxx,DC=xxxx,DC=com</String>
   </List>
   </Value>
   </AttributeRequest>
   </AccountRequest>
   </Filtered>
   <MasterPlan>
   <ProvisioningPlan nativeIdentity="axxxxxxx">
   <AccountRequest application="ENT AD Groups"       nativeIdentity="CN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"       op="Modify">
   <Attributes>
   <Map>
   <entry key="userName" value="axxxxxxxx"/>
   </Map>
   </Attributes>
   <AttributeRequest name="memberOf" op="Remove"       value="cn=testGroup,OU=XXXXXX,OU=XXXXXX       Groups,OU=XXXXX,DC=XXXX,DC=XXX,DC=COM">
   <Attributes>
   <Map>
   <entry key="assignment" value="true"/>
   </Map>
   </Attributes>
   </AttributeRequest>
   </AccountRequest>
   </ProvisioningPlan>
   </MasterPlan>
   <ProvisioningTarget assignmentId="xxxxxxxxxxxxxxxxxxxx"       retain="true" role="XXXX-Role-WebExUser">
   <AccountSelection applicationId="xxxxxxxxxxxxxxxxxx"       applicationName="Enterprise ENT-AD"       selection="CN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
   <AccountInfo displayName="axxxxxx"       nativeIdentity="CN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"/>
   </AccountSelection>
   </ProvisioningTarget>
   <ProvisioningTarget assignmentId="xxxxxxxxxxxxxxxxxxxxxxxxx"       retain="true" role="Enterprise-XXXXXXXXX-Role">
   <AccountSelection applicationId="xxxxxxxxxxxxxxxxxxxxxxxx"       applicationName="Enterprise ENT-AD"       selection="CN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
   <AccountInfo displayName="axxxxxxx"       nativeIdentity="CN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"/>
   </AccountSelection>
   </ProvisioningTarget>
   </ProvisioningProject>

What is the reason for FilterReason doest not exist?

Eric_Mendes_CISSP · October 10, 2025, 3:41pm

When IdentityIQ filters out a request because of “DoesNotExist” it means that the access does not exist on the identity at the time of the provisioning request. I would look at the identity and see if the entitlement exists on the identity.

This situation can occur if the identity has a role or entitlement assigned to them within IIQ, but the access granted by the entitlement/role does not exist on the identity. This might be because the provisioning failed, or the access was removed outside of IIQ/within AD. In this use case, IIQ will not attempt to provision because it does not detect that the identity has the access and will instead just remove the role/entitlement assignment.

msingh900 · October 10, 2025, 3:47pm

@a0543124

Here in this case, FilterReason says Does not exist. It means AD group is not available in the target application I.e. AD in this case.

I would suggest running the Account Aggregation task with Detect Delete option. This will ensure you have the correct data in IIQ with respect to AD.

Thanks

Topic		Replies	Views
Provisioning Policy Role to add a AD group and remove another IIQ Discussion and Questions rules , identityiq , provisioning	11	461	December 22, 2024
Remove Provisioning request from a Rule for AD IIQ Discussion and Questions workflows , rules , identityiq , provisioning	5	321	December 22, 2024
Native Change Detection-if someone adds a user to one of the group directly in AD, IIQ has to detect that and remove the added group membership IIQ Discussion and Questions identityiq	10	204	July 27, 2025
Policy violation only remove from account app IIQ Discussion and Questions rules , identityiq	3	55	July 21, 2025
Sticky appear after refresh IIQ Discussion and Questions rules , identityiq	3	68	July 22, 2025

Filter reason "does not exist"

Which IIQ version are you inquiring about?

Related topics