What problem are you observing?
We have created multiple access profiles.
They were created as enabled, not available for request, each AP contains exactly one entitlement. Multiple users have these entitlements.
After creating them we have clicked on “Apply changes” on the Access profiles page (xxx.identitynow.com/ui/a/admin/access/access-profiles/landing)
We have waited a couple of minutes, after which there was no monitor tasks visible.
We have tried to create certification campaigns for these access profiles, but NO identities appeared to have them. Going to the Access page for an identity, we saw that NO access profiles were present, although they had the entitlements present.
Clicking on “Apply changes” again did NOT help.
After triggering an unoptimized aggregation on the authoritative source, the APs finally appeared both on the identities and in the certification campaign.
What is the correct behavior?
When we create/modify/delete access profiles and we click on “apply changes”, the changes should reflect in the entire system (identities, search, campaigns etc).
What product feature is this related to?
ISC access profiles, identities, campaigns, search.
When you create or edit identity profiles, roles, or access profiles, you must manually initiate identity processing to update your identities. This is required to apply your access model updates to your identities and recalculate access requirements, even when the identities have not changed.
What are the steps to reproduce the issue?
- Create AD entitlement
- Assign AD entitlement to AD account
- Assign AD account to identity
- Create access profile, containing the AD entitlement
- Click on “Apply changes”
- Wait for the (unspecified) time until the changes are applied
- Check on the access page for the identity if the access profile is present or not
Do you have any other information about your environment that may help?
Many unanswered questions for SailPoint. It seems they keep optimizing the processing on their side, but we remain with unexpected behaviour that it is time consuming to debug.