Hello,
I have this problem.
If I click “Process Identity” for some users, Sailpoint try always to create an account for my application “AitableTestTarget”.
If I try to add for example a group AD to this user, Sailpoint create 2 events: one for add the group to AD and one for creation account “AitableTestTarget”.
Actually the creation of the account “AitableTestTarget” always fails because I don’t have implemented yet the API.
Actually the user does not have any entitlement about “AitableTestTarget”.
Does not exist any dinamic role that automatically adds some “AitableTestTarget” entititlement to the user.
Somewhere in your configuration, an entitlement for AirtableTestTarget has been assigned to this identity - it could be a role or in an access profile that is assigned to the lifecycle state. Above Events in your screenshot is an item Access. View Access to see what roles, access profiles, or applications are assigned that may contain an AirtableTestTarget entitlement.
Did you verify that the user has the source account correlated? That would trigger the create account action and cause the entitlement adds to fail is because their is no account to add them to.
The account was present in the Source target AirtableTestTarget and was correlated to the user but I deleted the account from Sailpoint and directly from the Source AirtableTestTarget. If I try to aggregate the account mark.bius AirtableTestTarget does not exist. But seems like Sailpoint is trying to force the re-creation of the Account and in particular is forcing the Add Entitltment and the relative Create Account:
In that case you want the user to no longer qualify for your AP, Role, or Entitlement. By removing these items IdN will not long try to provision the user. The reason you are seeing this loop is because IdN is like hey this account is missing and the have this access so I will create and add this access. I hope that helps and make since.
But I cannot delete AP, Role, or Entitlement for AirtableTestTarget only because one user is in loop. How can I manage this auto-provisioning for this particular user ?
For another user can be correct that when I try to request an access profile AirtableTestTarget , Sailpoint will create a new AirtableTestTarget account.
When a user gain an account from Sailpoint, he cannot never lost this account ?
If you have the is set as requestable you could use the API’s to request removal or Run an Access Certification and revoke the access. The account will not be deleted unless you have that defined in a role. In order to disable you would need to define that source in the provisioning plan.
I couldn’t find any access or entitlement with user, still refresh was trying to add some entitlement and failing, there was no trace how this entitlement was getting added to the user.
Check Access Reviews for this identity if there is any entitlement related to AirtableTestTarget application.
OOTB SailPoint IDN doesn’t have delete operation, when an Identity looses an access automatically or manually it will be modify operation only. User account will loose the access but not delete account.
You can use Service Standard Before Provisioning Rule, you will have an option to delete account if there is last entitlement removal.
Or you can use your own Before Provisioning Rule to change account request operation from modify to delete.
Test 1 - Existing account on Entra ID with some AD groups - delete account without groups
I remove all EntraID entitlements from the user in Sailpoint.
I delete the account on the target system.
I Aggregate EntraID in Sailpoint
The account is successfully removed from Sailpoint as well, and Sailpoint does not attempt to recreate it.
Test 2 - Existing account on Entra ID with some AD groups - delete account with groups
Leave all entitlements for the user in Sailpoint and Entra ID.
Delete the account on the target system.
I Aggregate EntraID in Sailpoint
The account is successfully removed from Sailpoint as well, and Sailpoint does not attempt to recreate it.
I think that maybe the problem is with the Web Sevice Connector ( AirtableTestTarget).
It’s not present (for now) the HTTP Operation of create and remove entitlement so if I try to remove an entitlement AirtableTestTarget from an Identity this is done in Sailpoint but the request fails (because is not present the operation). Than after an Idenity process Sailpoint try to force the account creation and add entitlement.
I’m tring to PUT fake HTTP operations for Create and Remove Entitlement but for now is not working.
I don’t know. Maybe until the web service connector does not have all the operations we will have this strange loop of creation.
