Trying to use this SailPoint documentation to fully understand the refreshes and processing functionality, but for the question below I prefer to have a second-opinion on how SailPoint behaves, based on your experience and/or your interpretation of the documentation.
One thing I noticed is that if you make certain changes to an identity profile, it will show you the following:
In the JSON of the identity profile, you would similarly see "identityRefreshRequired": true
These identity profile refreshes can take quite a long time. In cases where the changes do not necessarily need to be processed instantly, I would prefer to wait until the scheduled refreshes occur. The question is whether this is sufficient. Suppose I make changes to an identity profile and donât trigger the apply changes button and instead wait for 24 hours. Will all related identities be properly updated then to match the new configuration of the identity profile?
If this is actually the case, I would think it makes sense for SailPoint to let the scheduled refreshes update the identityRefreshRequired flag and mark it as false. After all, the refresh would not be required anymore.
If it is not the case. I think it would make sense for either SailPoint to automatically perform this task on a daily basis for all identity profiles requiring a refresh, effectively temporarily expand the scope of the scheduled refresh, or for us to create a workflow to achieve the similar effect.
Also if this is not the case, I wonder which identities will not be refreshed (I guess identities with identity type Inactive (long-term) are excluded, but those are often less important to us, so are there any others?) and I wonder which refresh actions will be occurring during an apply changes refresh, that are usually being left out during one of the scheduled refreshes.
Note that we have roles implemented. I mainly want to get rid of the identityRefreshRequired: true flag, preferably without processing the identities manually.
One use case I can think of for not immediately processing or processing say overnight would be that you are staging changes that need to be completed during a move window. I am thinking of changes that might have a downstream impact with attribute sync or role membership criteria. I might want to do all of the prep work on Friday, have a peer review that my changes are good, but not actually update the identities until Saturday morning.
If i am not wrong, Apply Changes is little different from Identity Profile refresh.
Identity refresh process all identities with the configurations that are from last applied changes on Identity Profile.
Apply changes will lock your current changes and trigger identity refresh automatically and these changes are used for future refresh.
If we donât click on apply changes, I believe the status on Identity profile would remain as âNeeds Processingâ and it wonât update values on Identity until unless apply changes is triggered.
You can test this for yourself quite easily. Make some changes to an identity profile, but donât hit the âapply changesâ button. Then trigger the standard identity refresh in some way. For example by waiting 24 hours for the scheduled refresh, run a refresh for a single identity yourself, or for example by single aggregating any account of an identity from that profile, or requesting access (and approving) for an identity from that profile. You will notice that it has included the changes you made, even though you never hit the âapply changesâ button.
This is one of the reasons I told SailPoint that I think that the button should have a different name, since people might wrongly assume that not hitting âapply changesâ button means the previous changes are still being applied.
The observation above is why I would not use the strategy you mentioned. If you do this prep work in production and then ask for a peer review, it could be that the changes you made are already getting used for identities that are processed through identity refresh, for example caused by account aggregations, access requests etc.
My point is mainly that I donât want to do a big identity profile refresh if I know that the refresh will be made anyway during the scheduled refreshes within 24 hours. The question is just if the scheduled refreshes are sufficient or if we really need to hit the âapply changesâ button if we want to ensure the proper calculations were made for all relevant identities for all relevant attributes. Perhaps @kirby_fitch knows the specifics here?
