Identity Refresh

shaffusailpoint · May 28, 2024, 2:51pm

Does Identity refresh tries to grant access though identities are active or inactive? for example if xyz identity have abc access, does identity refresh attempts to grant abc access? if does this can be tamed out some how?

mpotti · May 28, 2024, 2:58pm

From what I have been able to understand from my experience with ISC. The Identity Refresh triggers attribute sync and the Role Engine. As for your question if would add entitlements based on users being added to Roles that they now meet the criteria for. The primary function of the Identity Refresh is to ensure that the downstream system are in sync with ISC.

For example if a admin removes group A from a user but group A is part of a role that a user is being added to it will indeed readd group A to the user.

shaffusailpoint · May 28, 2024, 3:01pm

Hence that is what we wrongly assuming it is attempting to read group A again?

ipobeidi · May 28, 2024, 3:04pm

The ISC Identity Refresh is the same task as IIQ Identity Refresh. With some options enabled.

So imagine that yes , if the Identity has the ROLE XYZ but it didnt have the access that the role carry , ISC will give the access. Even create the account to give the access.

Best

shaffusailpoint · May 28, 2024, 3:07pm

in simple let say why in the first case it is attempting to grant access, though they have already? do we need to imagine downstream data sync?

ipobeidi · May 28, 2024, 3:17pm

If the user have the access it should not try to grant it. One thing in mind is , if you remove the granted role, the access will be removed.

But yes , he will try to make a " data sync"

jesvin90 · May 28, 2024, 4:10pm

Hi @shaffusailpoint,

When you say that the user has xyz access, has the access been aggregated to ISC yet.? If the user has the role corresponding to access xyz, but the aggregation has not occurred (in a case where the access was granted outside of ISC), The system could assume that the access has not been granted yet and could retry provisioning.

Note that the Identity refresh process does not read the data from the target systems.It just processes the data (Roles, Attribute syncs etc) which is already there in ISC.

jolan · May 28, 2024, 4:28pm

You might need to recheck if you able to see the entitlements aggregated back matches the access assigned by the role.

The symptoms you described could be due to the close-loop did not happened / incorrectly aggregated hence ISC will thought the access has not granted, it will continuously attempt to create.

system · July 27, 2024, 4:29pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ISC refresh capabilities broken - does not trigger provisioning Bugs aggregation , identity-security-cloud , provisioning , roles	0	48	October 1, 2024
Refresh Roles for a particular identity ISC Discussion and Questions apis , identity-security-cloud	2	984	July 19, 2023
Netsuite entitlement loss on identity refresh ISC Discussion and Questions identity-security-cloud , entitlements	3	50	December 20, 2025
Identity Refresh sets the entitlement to old value ISC Discussion and Questions identity-security-cloud , provisioning , jdbc-connector	8	429	April 28, 2024
Unrecognized Entitlement & Continuous Provisioning during Identity Refresh Run ISC Discussion and Questions identity-security-cloud , provisioning , entitlements	6	217	April 6, 2024

Identity Refresh

Related topics