How to enable "Provision Assignments refresh option"

Dear community,

Currently I’m doing the Essential training, and in page 3-44 from the exercise pdf there is an answer to got my attention

Notice the Event and the Application columns. Why does this say the application being modified is IdentityIQ?
Answer: Roles assignment happens in IdentityIQ.
Provisioning of the entitlements is a separate action that requires the Provision Assignments refresh option

Where I enable that?

The step of the excerise are:

  1. Create two IT’s role role
  2. Create one business role
  3. Refers the two IT’s role in the business role
  4. Run the refresh identity task
  5. go to admin console -->Provisioning → success see the provisioning transactions

I do see in the vm provide by the training the “success” provisioning, but in my local lab i do not, so I would like to know where I can enable “Provision Assignments refresh option” to also see the sucsess message

Thank in advance

Hey Sara @fugitiva, Provision assignment is an option in the refresh identity task. This provisions the entitlements present in a role, which is assigned because of the assignment rule present on that role. Assignment rule is basically a criteria to assign a user that role (here I’m talking about Business Roles) automatically (through refresh task)

Take a look at this compass link for more info (search for Provision Assignment) - Understanding identity refresh options - Compass

To learn more about how to use it:
One of its application is Birthright Provisioning Using Roles (check this compass link for more details on that) -

@aishwaryagoswami thank you for your answer, I am already aware of the options in the identity refresh tasks
but when Im going to into the vm from training that is not checked, so how its possible to get the provisioning option running with uncheck this option

Hey @fugitiva, oh are you asking why are you seeing the provisioning of the roles even if the Provision Assignment is not checked?

If thats the question, then Provision Assignment causes the provisioning of the entitlements of the already assigned roles (hence you are seeing the transactions for the role addition)
As the definition says - This option causes IdentityIQ to produce and execution Provisioning Plans for all entitlements that are assigned to an Identity cube but are missing in the accounts correlated to the cube. This option is necessary for direct connectors to automate provisioning for automatically assigned business roles

“oh are you asking why are you seeing the provisioning of the roles even if the Provision Assignment is not checked?”
Im dont understand the answer… the question is because in my local (I created my own lab where I replicate from the vm from the training) i dont see the provisioning success, but in the virtual machine form the training yes, so why is that?, I thought somewhere in the vm from training something is enable and/or configure and I am missing that

Sorry Sara, just clarifying is the provisioning of the role failing in your local, meaning are you seeing failures in the provisioning transaction?

If you are not able to see the successful transaction in you local then it might be because you have not enabled the provisioning transaction log for successful provisioning because by default, the Provisioning Transactions table only displays failed provisioning transactions because the Provisioning Transactions log is configured to only store failures.

To change this configuration:

  • Navigate to the Gear menuGlobal SettingsIdentityIQ ConfigurationMiscellaneous page.
  • In the Provisioning Transaction Log Settings section, change Maximum Log Level to Retry or Success.
    • Retry means the system will log provisioning transactions that return a Failure result or a Retry result (an error message indicating a temporary condition that means a later retry of the provisioning operation will likely succeed and should therefore be auto-retried after a delay interval).
    • Success means the system will log all provisioning transactions, regardless of their provisioning result status values.
  • Note that when setting Maximum Log Level to Success, the provisioning transaction log will record high volumes of records. Consequently, it is particularly important in that case to also set the Days before provisioning transaction event deletion value to the number of days you want to retain these records so they will be automatically purged after that time. Leaving that attribute as the default “0” means these records will never be deleted by the system, which would fill your database quickly. Even when using a Retry or Failure maximum log level, this value should be set to purge records you no longer need. The number of days chosen varies by customer.
  • To turn off provisioning transaction logging entirely, clear the Enable Provisioning Transaction Log box.
  • After setting these values, scroll down and click Save at the bottom of the page.

check this compass link for more details -

Thank you :slight_smile: that was it!

1 Like

Hello @fugitiva, if it answers your question kindly do mark the suitable reply as the solution. If there is anything else which you need to discuss regarding this, do let me know? :slight_smile:

@aishwaryagoswami , thank you for your explanation, that was the answer of my question :slight_smile:

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.