I have an issue with the provisioning plan. When assigning a business role with a required IT role that in turn has a required environment, the provisioning plan used to only add that environment. However, now it also adds some permissions that the account already has, and I don’t know why this is happening.
For example, in this case, the user already has two permissions. When trying to assign another one, the provisioning plan adds the one I want to assign and one of the permissions the user already has. Every time I’ve tested it, it’s always just one.
I tried creating an IT role and a business role from scratch or testing with others, but the provisioning plan still generates with an extra permission.
PD: I noticed that when I perform a refresh identity without any changes, it still generates a provisioning plan with the permission in question.
If you want to replace the existing entitlement with new entitlement and you don’t want to maintain previous entitlement, then go to application → Schema → Choose that entitlement attribute and uncheck multi-valued as shown below.
If this doesn’t work, please assist with the following:
Can you check the entitlement details in the identity warehouse by searching for the specific identity? Each entitlement should show how it was granted. Please verify if these entitlements are assigned through your role.
If multiple entitlements are added from the same application, they should appear as separate entries, resulting in two distinct entries in the plan as shown below.
@AntonioGvtt share role debug of business and it and application debug.
It seems either role or application configure issue. Or may be some role is trying to add.
Also please check what is master plan look like and what is provisioning project plan look like.
if this is fine in master plan and after expansion it is coming in provisioning plan then issue with Either rule or how you have added the entitlement and configured in sailpoint application
