Issue: IT role not getting detected

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Issue: IT role not getting detected.
The user has the role in target (application) end and also the corresponding role in Sailpoint. However the IT role is not getting detected. This issue is observed only for some users with same role as other users have the role assigned as expected.

2

Is there any scope or any Provisioning Target Account Selector Rules written?

3

No nothing like that are defined. Mainly we are seeing exceptions for some if the users in Identity XML like below
<Exceptions> <EntitlementGroup created="1701744272220" displayName="00222222" id="0a2c884a8c251d86818c37dce35c7027" nativeIdentity="00222222"> <ApplicationRef> <Reference class="sailpoint.object.Application" id="0a2c8e2d8bd71102818bd761622b000a" name="App Name"/> </ApplicationRef> <Attributes> <Map> <entry key="role"> <value> <List> <String>Value</String> </List> </value> </entry> </Map> </Attributes> </EntitlementGroup> </Exceptions>

4

Hello,
Please check a few things:

  • IT role is enabled
  • Identity cubes that are not getting the role are currently active
  • In Refresh Identity Cubes task no filters are there(or if there are any they should include the identities which are not currently getting that role)
  • Ensure- Refresh only identities marked as needing refresh during aggregation- is unchecked for testing purposes you can turn it on if this doesn’t work
  • Ensure-Refresh assigned, detected roles and promote additional entitlements- is checked
    *Ensure Global settings>Role Config>IT roles -No automatic detection with profiles- is unchecked(also look at the other options here if any of them look suspicious)
5

Hi @703hardik,
Thanks for your reply.

  1. IT role is enabled
  2. yes the users are active
  3. filtered identity refresh covers these users. even the users are manually refreshed as well.
  4. Disable marking the identity as needing a refresh → this option is not checked in the aggregation task
  5. Refresh assigned, detected roles and promote additional entitlement → this checkbox is ticked in the identity refresh options
    below options are checked in the role configuration
    image
    for some users the roles are not getting detected and coming as exceptions in the identity xml where as some users have the IT roles correctly detected. if there was an issue it should not have detected for all users.
6

Hi Vinod,
Please uncheck “No automatic detection with profiles unless assigned” in Role configuration settings and then run the Refresh Identity task with “Refresh only identities marked as needing refresh during aggregation” with this option unchecked

7

Hi @703hardik,
We did removed this checkbox and tried in our non prod environment but still the SR roles are not getting detected. One question from business teams is why is it happening for some accounts and identities and why not for all identities and accounts?

8

What happens if you remove the exception XML-element via debug and run the refresh task (With Refresh assigned, detected roles and promote additional entitlement) again?

You can use the filter name=="<dentityName>" to only refresh that 1 identity (replace <identityName> with the name of the identity).

– Remold

9

Yes we did tried this in the initial troubleshooting, after aggregation again this data comes as exception in identity xml

10

Data issue maybe? Sometimes it happens to me and I check for entitlements linked to the IT Role in first place.

11

@vinnysail When looking at one of the identities where the role is not detected via debug. Is there an element called <Preferences> with an entry for roleDetections, like:

  <Preferences>
    <Map>
      <entry key="roleDetections">
        <value>
          <List>
            <RoleDetection ......

If so, can you delete the Entry-element roleDetections and run the Refresh again?

I have has a similar issue with roleAssignments at a client.

You can also take look at the Developer Days 2023 presentation of @brian_weigel :

– Remold

12

Sure @Remold let me check and get back to you on the same.

13

@Vinod,

strange if entitlements are assigned and it role global configuration is checked with allow detection of role based on profile assignment, then ideally it roles should get detected after refresh task execution with detect detection of roles option checked. Generally if this is Sticky Entitlement scenario you should be able to see entitlement as red triangle flag, nevertheless please try the suggestion given by @Remold and confirm if you still see the issue.

1 Like
14

Is the role at all, marked to appear as detected?

best