IT role entitlement is showing incorrect AD group information

Which IIQ version are you inquiring about?

Version 8.3

Please share any images or screenshots, if relevant.

Screenshot 2024-05-01 at 10.21.50 AM.png1400×798 68 KB

Share all details related to your problem, including any error messages you may have received.

Hi All,

I am new to Roles implementation. Therefore, I need some suggestion from the community as I do not know what I encountered is bug or the configuration issue.

Scenario: When I delete AD group and perform AD group aggregation, I see changes in entitlement catalogue but in both IT role entitlement section and identity entitlement section I see long CN value(no display name) for that entitlement followed by broken link (pop up box as shown in attachment).

How can I see updated entitlement info in Role’s page? Once I get Role to have updated info, I can run refresh identity task to reflect it into identities.

Any help is appreciated. Thank you in advance!!!

Is the value of DN changed for the entitlement which was present deleted and one you get after aggregation ?

No It was deleted from AD directly. Entitlement catalogue does not have that entitlement. But in role, the display name is replaced with DN value.

You can modify the role and remove invalid entitlement .
Any way if group is deleted from AD it would have removed the group membership in AD . so just as a cleanup activity remove invalid entitlement .

I get it that I can manually remove the invalid entitlement but shouldn’t it be IIQ feature to handle such scenario automatically?

Sailpoint don’t handle this ootb but 8.3 onwards Sailpoint has enabled new feature “Enable Native Identity Change Event propagation” Supporting Active Directory Native Move / Rename onwards . I haven’t used this one . but check if this can help you .

I will look into it. This may be helpful. Thanks!

I’m running 8.4 with that enabled and it still doesn’t do what you are hoping sadly. Feel like there should be a task that cleans these on Sailpoint’s end, but currently trying to work on a rule that will do this myself.

Hi @vishal_kejriwal1 !
Like you suggested, I looked into it. So, it resolves the rename and move of group in AD which means I am able to make some progress in it.
However, I am still not able to address the scenario when AD group is deleted.

@mweaver Please feel free to share when you make it work. Thank you!

I don’t think this feature is available ootb till 8.1 . but i would suggest open sailpoint support case .

Is detect deleted is checked in Aggregation task , also by any chance ur promoting these entitlements to catalogue?

@Unique : I hope your issue is resolved, happy to assist

I had a SailPoint ticket open for this and they said, “this is definitely working as designed.” Now I would have to think how can I customize it.

How many IT roles you have in your service ?

You can write some rule to scan all the IT roles and check the corresponding entitlements if exists or not and then take the required action accordingly.

We are at the initial stage of implementing role. So none so far but we envision to have more than 1000 soon.

I think it might be a huge task. The broken link of entitlement is stuck in exception tag and link tag of the identities even though we are removing it from roles.

you can do that till sailpoint team come up with some solution . you can work with CSM and see what other option they recommend .

I would say you need to have some SOP in place that application owner need to update team in case they delete entitlement which is part of some role .or you need to do role review on regular basis .

This you can solve by having SOP inplace .

Thank you for the suggestion, Vishal! I was also thinking about SOP for application owner for short term solution.