Version 8.3
Issue: IT role not getting detected.
The user has the role in target (application) end and also the corresponding role in Sailpoint. However the IT role is not getting detected. This issue is observed only for some users with same role as other users have the role assigned as expected.
Is there any scope or any Provisioning Target Account Selector Rules written?
No nothing like that are defined. Mainly we are seeing exceptions for some if the users in Identity XML like below
<Exceptions> <EntitlementGroup created="1701744272220" displayName="00222222" id="0a2c884a8c251d86818c37dce35c7027" nativeIdentity="00222222"> <ApplicationRef> <Reference class="sailpoint.object.Application" id="0a2c8e2d8bd71102818bd761622b000a" name="App Name"/> </ApplicationRef> <Attributes> <Map> <entry key="role"> <value> <List> <String>Value</String> </List> </value> </entry> </Map> </Attributes> </EntitlementGroup> </Exceptions>
Hello,
Please check a few things:
Hi @703hardik,
Thanks for your reply.
Hi Vinod,
Please uncheck “No automatic detection with profiles unless assigned” in Role configuration settings and then run the Refresh Identity task with “Refresh only identities marked as needing refresh during aggregation” with this option unchecked
Hi @703hardik,
We did removed this checkbox and tried in our non prod environment but still the SR roles are not getting detected. One question from business teams is why is it happening for some accounts and identities and why not for all identities and accounts?
What happens if you remove the exception XML-element via debug and run the refresh task (With Refresh assigned, detected roles and promote additional entitlement) again?
You can use the filter name=="<dentityName>" to only refresh that 1 identity (replace <identityName> with the name of the identity).
– Remold
Yes we did tried this in the initial troubleshooting, after aggregation again this data comes as exception in identity xml
Data issue maybe? Sometimes it happens to me and I check for entitlements linked to the IT Role in first place.
@vinnysail When looking at one of the identities where the role is not detected via debug. Is there an element called <Preferences> with an entry for roleDetections, like:
<Preferences>
<Map>
<entry key="roleDetections">
<value>
<List>
<RoleDetection ......
If so, can you delete the Entry-element roleDetections and run the Refresh again?
I have has a similar issue with roleAssignments at a client.
You can also take look at the Developer Days 2023 presentation of @brian_weigel :
– Remold
Sure @Remold let me check and get back to you on the same.
@Vinod,
strange if entitlements are assigned and it role global configuration is checked with allow detection of role based on profile assignment, then ideally it roles should get detected after refresh task execution with detect detection of roles option checked. Generally if this is Sticky Entitlement scenario you should be able to see entitlement as red triangle flag, nevertheless please try the suggestion given by @Remold and confirm if you still see the issue.
Is the role at all, marked to appear as detected?
best
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.