Problem
SailPoint will continue to add entitlements that were requested via request center to identities in every Identity Refresh / Manual processing. SailPoint would try to re-add the entitlements or even create the account if the account doesn’t exist for the user.
Diagnosis
SailPoint entitlements are sticky in nature, Once an entitlement has been assigned to an identity using access requests, it will be provisioned to the identity’s source account. If the entitlement is directly removed from the account on the source, it will be reprovisioned to the account at the next aggregation.
If the account is deleted on the source, such as Active Directory, it is recreated along with the requested entitlement upon the next refresh.
Solution
- Create Access Profiles instead of making entitlements as requestable. Knowing the fact doing all entitlements in this manner is not feasible if we have hundreds of thousands. If we have thousands of Access Profiles to be created SailPoint provides a utility to create bulk Access Profiles, which will ease a lot. Reference: IdentityNow Bulk Access Profile and Role Importer - Compass (sailpoint.com)
- If we still want to go with requestable entitlements then we will have to make sure the requested entitlement is removed from SailPoint IdentityNow before deleting the account. That can be achieved via any of the following approach:
- Using Access Certification.
- Revoke it by submitting an API call.
- Can make use of workflows.
- Manager revokes the access manually from SailPoint UI.
- Using Before Provisioning Rule - remove all the access before disabling / deleting the account.
Supporting Documentation from SailPoint:
SailPoint Documentation on Requestable Entitlements
Managing Requests for Entitlements - SailPoint Identity Services
An Idea was submitted in SailPoint Ideas Portal, the idea is to have a flag to allow customers to turn off Entitlements being “Sticky” Flag to allow customers to turn off | SailPoint Ideas Portal
Discussion in the SailPoint Developer Community
Any actual good ways for entitlement self-revocation or non-sticky entitlements? - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community
Hope this will help!