Share all details related to your problem, including any error messages you may have received.
I usually can correct a “red X” problem on a IT role by checking for renames, cleaning up disconnected entitlements, or double checking a IdentityRequest / WorkflowCase gone bad and follow this up with a more complete “Identity Refresh” on the identity.
These tricks fail to correct the “red X” problem when the IT Role is based on a population (e.g., Dynamic Role: (inactive == false && primaryAccountId.notNull() && (BusinessUnitCode == “26322” || BusinessUnitCode == “9709”))). Even worse, the entitlement is granted, but the “red X” persists on the IT role (false negative that confuses our operators).
Could you share the details of your IT Role?
Also what would be interesting to see is the role assignment and role detection XML from you identity. There could be some mismatch there.
Usually it’s the Business roles that are assigned based on some business logic not the IT Roles how you describe above.
I see the business role (roleName=“Dynamic Role: TTS All”) assigned in the identity XML in the:
assignedRoleSummary
AssignedRoles
RoleMetadatas
RoleAssignment (includes reference to IT Role: roleName=“IT Role: TTS All”)
There is NO entry under roleDetections (I expect this is why we are seeing the “red X”). Is there a SailPoint task that creates these roleDetections that I should troubleshoot?
Yes, the task that deals with this is Refresh Identity with “Refresh assigned, detected roles and promote additional entitlements” option set.
For sure you should run this task with filter for the identity you are working on.
At the same time could you share the XML of the IT role?
What I’ve seen before where misalignment in role assignments and detections. These are based on role ids (not role names) and for some reason these didn’t match the values on role objects.
So, would be also useful to see the XMLs of role assignment (I understand that RoleDetections are not present).
Also do you see the IdentityEntitlement objects present to the assigned entitlements? (if so let’s see the XML)
We have run the Refresh Identity task with the “Refresh assigned, detected roles and promote additional entitlements” option set multiple times for this identity with the same “red X” result.
The IT Role is attached.
From the identity’s XML…
From: <AssignedRoles>
<Reference class="sailpoint.object.Bundle" id="0a616ba788e51385818931c2c2084c66" name="Dynamic Role: TTS All"/>
NOTE: This is the correct ID for the Business Role
From: <RoleMetadatas>
<Reference class="sailpoint.object.RoleMetadata" id="0a616bac8e7b16be818e837e024b154d" name="Dynamic Role: TTS All"/>
NOTE: Not sure why this is needed or how it is used
From: <RoleAssignment >
<RoleAssignment assignmentId="c07b37de1aec4fccaf8c6d65cb3bb912" date="1711404350830" roleId="0a616ba788e51385818931c2c2084c66" roleName="Dynamic Role: TTS All" source="Rule">
<RoleTarget applicationId="8ae55ea35508afde015508fd9cad02fb" applicationName="Fisher Account" displayName="XXXX" nativeIdentity="CN=XXXX,OU=Users,OU=Common,DC=fi,DC=com" roleName="IT Role: TTS All"/>
</RoleAssignment>
I am not seeing any IdentityEntitlement objects related to this role / identity.
@cwhittle see how the RoleAssignment has a RoleTarget within it? Does the nativeIdentity of the RoleTarget match the nativeIdentity of the Link (AD account) object on the cube? This includes casing. If it is off at all, the role does not properly detect the associated entitlements. This can happen if you provision the account in all lowercase for example but some parts of the account DN are aggregated back in uppercase, etc. due to how the domain is configured. Or the account gets renamed directly in the domain or something.
Craig
Lets look at the basic setup. Does the link on “Fisher Account” application has the groups specified in the IT Role?
This is fundamental question. If yes, we will be looking why it it’s not represented by IdentityEntitlement. If no, there could be a problem with provisioning.
At the same time, whenever you run Refresh Identity task make sure the option “Provision assignments” is also selected (this triggers provisioning for any roles that have missing entitlements or links).
Waiting for your feedback.
