I have a JDBC source for which I have written the provisioning rules for create and modify. The create works fine but every time I modify the identity with a different entitlement, I see a bunch of identity refresh activities triggering to set the value of the entitlement back to the previous state. I am setting the ProvisioningResult.status correctly after each operation.
Now the weirdest part. The identity refresh sets the entitlements back to original one. But after aggregation it switches now to the new entitlement which I initially tried to set and then a second time aggregation sets it back to the original and then this keeps on repeating for the subsequent aggregations.Kindly help
This type of cyclical entitlement switching may be caused by one or more configurable objects that affect aggregation and provisioning. For example, a transform could be modifying the incoming aggregated attributes in such a way as to trigger a provisioning event automatically based on some role criteria. Attribute sync can also use transforms to modify attributes before they are provisioned to the account. It is entirely possible that one or more of your configurations are effectively causing this infinite loop. The only way to find the cause is to do a deep dive investigation of the entire aggregation and provisioning process for the affected identity. You will need to carefully analyze each transform, role criteria, provisioning rule, and attribute sync profile and manually map out what the result of each step will be.
Start with account aggregation. Based on the logic of your transforms, what do you expect the attributes to be, and how will this affect any role membership criteria. If role membership criteria causes an entitlement to be granted, what is the result on the account after accounting for any provisioning rules or attribute sync configurations. Then repeat the aggregation events and see if there is a cycle happening.
I’m not aware of a good way to figure out what exactly is causing the refresh. All I know is that our docs indicate three different ways an identity refresh might occur.
Hi Vikram,
Is the user requesting the entitlement from the UI ? If yes this may be issue of sticky entitlement. You might need to first remove the old entitlement and then add the new entitmeent using assignment as true in the Before Provisioning Rule