I have raised a request for a AD group from SailPoint and approved his access after few days we removed access to group from AD directly and if we check the user identity entitlements tab we are getting error entitlements doesnt exist on this account.
In the refresh tab if we enable the provision assignments the user is again added to the group.
Welcome to SailPoint Developer Community!!
This is due to the Attribute Assignment (Sticky entitlements) in the identity Cube. Attribute Assignments are added to an identity to track entitlements that have been assigned to them, typically from an access request. It can be viewed on the Identity via debug page. Whenever a user is provisioned via Access Request (LCM) this sticky attribute is added to the identity. This will be part of the provisioning plan under attributes as assignment = true. Refreshing the identity will retry provisioning of missing entitlements and accounts. Removing the sticky attribute from Identity cube will fix the issue. The ideal way will be via a remove request instead of direct update of identity cube.
There is a session by @brian_weigel on how to remove these Attribute Assignments. Ungluing Sticky AttributeAssignments
We have lot of groups which was removed from AD directly and lot users in our database and we are using custom LCM Provisoning can you suggest me a best way to remove the sticy attribute assignements.
@akhil_chidurala : Best way is what Jaris James has suggested. We have create a Rule and removed all the reference from the database.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.