IT role is not assigned

sureshbommareddy98 · June 6, 2025, 3:18pm

Hi everyone,

We have created a business role with a match list and configured it role. We have added an AD entitlement to the IT role and created a provisioning policy to update the Msds-cloudextension attribute 20 with a fixed value.

Issue is

It role is not assigned to user and value is not getting updated in AD but we can see provisioning transaction in admin console that value is committed

santhirajumunganda · June 6, 2025, 3:47pm

Please check if any work items are pending.

sureshbommareddy98 · June 6, 2025, 4:37pm

There is no workitems

santhirajumunganda · June 6, 2025, 4:49pm

Please share the provisioning policy and provisioning transactions so we can analyze the issue

sureshbommareddy98 · June 7, 2025, 3:05pm

I have created a provisioning policy directly in IT role by choosing policy

sureshbommareddy98 · June 9, 2025, 1:14pm

Role.docx (3.2 KB)

manogna99 · June 9, 2025, 3:01pm

Hi @sureshbommareddy98,

The issue is likely to be caused by the constraint defined inside the IT Role profile:

<Filter operation="CONTAINS_ALL" property="memberOf">
  <Value>
    <List>
      <String>CN=Research,OU=Distribution,OU=Groups,OU=Enterprise Services,DC=usi,DC=com</String>
    </List>
  </Value>
</Filter>

This condition checks whether the user is already a member of the “Research” AD group. If the user is not in that group, the constraint fails. As a result, the IT Role is not assigned to the user, and the provisioning form that updates the msDS-cloudExtensionAttribute20 attribute is not triggered.

Even though you see a provisioning transaction marked as “committed” in the Admin Console, it just means that SailPoint successfully created and queued the provisioning plan. It does not necessarily mean the change was executed in the target system. If the IT Role wasn’t assigned due to the failed constraint, the provisioning steps inside that role would not be executed.

To fix this:

Remove or relax the ‘memberOf’ constraint in the IT Role so that it can be assigned even if the user is not already in the AD group. This will ensure that the attribute update happens as expected.
Alternatively, if the constraint is still required, make sure the user is added to the AD group before this role is evaluated.

Hope this helps!

saiprashanth88 · June 10, 2025, 5:51am

Hi @sureshbommareddy98
Once try to create the provisioning policy directly in the Business role and inherit the IT role within it.

sureshbommareddy98 · June 10, 2025, 2:20pm

I have removed memberof and ran the refresh task but it not getting detected

pravin_ranjan · June 10, 2025, 2:43pm

@sureshbommareddy98

try, i am suspecting some camel case issue.

 <Filter ignoreCase="true" operation="CONTAINS_ALL" property="memberOf">
          <Value>
            <List>
              <String>CN=Research,OU=Distribution,OU=Groups,OU=Enterprise Services,DC=usi,DC=com</String>
            </List>
          </Value>
        </Filter>

sureshbommareddy98 · June 24, 2025, 8:02am

I have tried but no luck

uditsahntl01 · June 30, 2025, 11:38am

Test by manually assigning the it Role . For this go to Global Settings >Role Configuration>IT Roles >No manual assignment uncheck and try to request this role