In my Sailpoint I have an IT Role that is automatically assigned to a set of users.
This role is linked to a rule that will validate who the user is and based on their department, it returns a Dn from an AD group and assigned this group to the user.
The issue is that the user may for some reason already have the group.
How can I validate if the user already has the group and if they have, how to remove it before assign the new one?
These groups are multuivalued attribute , Users can have multiple group at the same time .
Now if the users has group which IT role want to assign again , then sailpoint will ot fail despite it will say the group as filtered ,
Hey, yes but in this case this will assign a group based on department.
If the user change department The goal is to remove the old group and give the new one
@RIsidoro
Is your IT role not associated with AD groups directly and you have an additional adhoc rule that will provision the new group?
Can you provide more details because by default if your IT role has the group configuration , you removed the old group and added new group for the same or if the user is removed from the IT role the old group is configured, old group membership removal will taken care by refresh task and propagate role changes