Hi all,
What happens to an entitlement when the business role is removed(when it does not satisfy anymore)?
In our case, the entitlement stays with the identity. Ideally, the entitlement should also remove too.
Thanks in advance
Hi @rishavghoshacc ,
In IdentityIQ, entitlements are usually removed when a role is removed. However, if the “Retain assigned entitlements when assigned roles are removed” setting is enabled, the entitlements will remain
So please check that option in Roles settings (Global Settings > IdentityIQ Configuration > Roles > Additional Role Options).
When any business role is removed from the user, then the Entitlements associated with the business role will get removed once you run the Refresh Identity Task with below options:
- Refresh assigned, detected roles and promote additional entitlements
Also Check if the same entitlement is added in some other role that is assigned to the user.
But make sure that this option is not enabled in your Global Settings –> Identity Configurations Page.
Hello @rishavghoshacc ,
When a business role is removed, respective entitlements will be removed only when they are assigned solely to that role. If the entitlements remains same, it usaually means that access is coming from another source or a direct assignement.
In such cases, you need to review how the entitlement was assigned and verify whether provisioning logic is properly execuiting the removal.
Hi @rishavghoshacc ,
You mentioned (when it does not satisfy anymore)
Does it mean Business role is assigned by assignment criteria instead of LCM Request?
In case of Role assignment by assignment logic (Either Rule or Match list, etc),
If assignment criteria is no longer valid, then Business role is removed from Identity.
When Role is removed, IIQ also checks corresponding IT roles and entitlements.
If those entitlements were provisioned as part of Business role assignment, then IIQ removes them.
But if entitlements were provisioned previously by LCM request or referenced by some other Role, then IIQ only removes Role and doesn’t remove entitlements.
1 Like
@mandarsane Is there a way to check the source of the entitlement that is present on the identity after the Business role has been removed?
@msingh900 The option is unchecked. Is there a way to check the source of the entitlement that is present on the identity after the Business role has been removed?
@prasadkoya The option is unchecked in IIQ
One way to check is to go the Admin console and check the provisioning transaction for that user. If you find any record that suggests that Sailpoint added that entitlement then it means entitlement is added by Sailpoint otherwise it came through Aggregation.
Can you check Identity in debug page.
@rishavghoshacc Do you know if the entitlements were assigned via Roles or directly assigned?
@rishavghoshacc There could be two reasons:
SailPoint did not remove entitlement when business role was removed - this happens when the entitlement was assigned outside of business role. You will find the assignment source in identity xml.
Entitlement was removed when business role was deprovisioned but added back - this will happen when it is a sticky entitlement. Please check if the entitlement is added under “ProvisionAssignments” in the identity xml. If so, SailPoint will add it back after refresh.
Hope this helps.
Hi @rishavghoshacc,
If the earlier suggestions didn’t help, you may want to check this option in Refresh Identity:
“Disable deprovisioning of deassigned roles.”
By default, entitlements are removed when a role is deassigned. This option prevents that and keeps the entitlements intact.
Let me know if this works for you 
Thanks,
SRM 
If you remove a Business Role, the entitlements linked to that role will be removed.
If those entitlements are detected ones or are directly assigned in the target application, they may get re-added after aggregation.
1 Like
Hi @rishavghoshacc,
Please check the following:
-
Verify the provisioning transaction. If the deprovisioning request failed, the entitlement may still remain on the user.
-
Check whether the entitlement is part of any other role. If it is, it will not be removed.
-
Check if the identity has any sticky assignments. In such cases, the entitlement may get provisioned again during the next refresh
-
check if your refresh has provision assignments option checked in refresh.