AD group is deleted in backend for some reasons, but the entitlement is still showing in ISC. Is there a way we can delete these kind of entitlements from ISC
do manual synchronization
Can you please elaborate how to do manual synchronization
go to sources and open your active directory and click on account management u can see your entitlements and you can delete there
Hi @prasadksadananda ,
Do you want to delete all entitlements from the AD source, or you want to delete only specific entitlements from the ISC?
1 Like
Hi @prasadksadananda ,
Greetings of the Day!
Kindly note that Entitlements can’t be deleted directly in Identity Security Cloud. To remove an entitlement, delete it from the source itself and run an entitlement aggregation
Account aggregations never delete entitlements from Identity Security Cloud, including source entitlements created solely through account aggregation. This is because an entitlement could still exist even if no accounts currently hold it.
Thank You.
Mahesh
Hi Prasad. Can I ask why you need to remove the entitlement from ISC?
AD groups are deleted in the in AD system by AD Admins as they are not required for them anymore.
Thanks Prasad. I get that, but why do you want to delete the associated ISC Entitlement?
There is no use to keep those entitlements which are not there in the source system and not being used in ISC for any activities (not linked to any identity, not part of any Access Profiles or Roles).
Ok, thanks Prasad, understood. I only ask, because in my opinion, I would leave them there for historic purposes/audit trail.
Having said that, can you confirm whether you use Entitlement Aggregation or rely on the Account Aggregation to create Entitlements in ISC?
If you rely on Account Aggregation, ISC creates Entitlements when they are identified through the Account’s memberOf attribute, so you only have Groups which are being (have been) used. As @Mahesh_Mukku quotes above, Entitlements managed in this way are never deleted. This is because ISC has no knowledge of whether or not the Group has been deleted.
Entitlement Aggregation, on the other hand, will import all of the Groups in AD that are in scope (so may not be being used), but, will delete those that have been deleted from AD, because it has knowledge of the full set of Groups. Again as @Mahesh_Mukku quotes above.
Entitlement Aggregation is available in the Source Configuration screen under Entitlement Management and should delete the Entitlements from ISC, but, bear in mind may import some un-used Groups from AD.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.