In case of roles, I know externally deleted access gets added back on next identity refresh if the flag is set on the task to refresh assigned and detected roles, but does this behavior extend to access (ad-hoc entitlement) that was granted via an access request being approved?
Yes, it does due to Attribute Assignment (aka sticky entitlements). Upon an identity refresh with the “Provision assignments” option enabled, both role assignments and entitlement (attribute) assignments will be evaluated and any assigned access missing on the target account(s) will be re-provisioned until satisfied. You can see AttributeAssignments in the Preferences object of an identity in debug. Some implementations disable this by removing the assignment option in the LCM Provisioning workflow by manipulating the provisioning plan.
Thanks Patrick, that’s what I was looking for.
This is a toggle that’s customizable on IIQ but on ISC, it is always on by default. I was curious how it worked on IIQ, thanks!
Yeah in IIQ you could modify each AttributeRequest to set the assignment argument to false i.e.
entAttrReq.put("assignment", false);
In ISC, we actually just noticed that the GET /beta/org-config endpoint now shows an option for “entitlement stickiness”, so it might not be configurable but have not tied it yet.
1 Like
That’s a great find. I don’t know if we could toggle it at an entitlement level/source level instead of an org level (if supported). I’ll look into it.
Turns out, a PATCH API call works to set it true!
1 Like