IT Roles are not detected

venkatesh_t2411 · April 21, 2023, 12:31am

Hi Team,

We have an custom role type created similar to IT role. In our env, This role can be directly requested and entitlements linked to the role will be provisioned. When user submits access request for this role, The flow works end to end perfectly fine. Now there are users with Role entitlements. The entitlements were assigned or provisioned directly in the target system. Now for these users, The role is not getting detected. We have identity refresh task with “Refresh assigned, detected roles and promote additional entitlements” option checked running everyday. What could be the reason for the role not getting detected even when all the entitlements associated to the role is assigned to the user?

brian_weigel · April 21, 2023, 1:03pm

Try running the refresh with the Refresh Identity Entitlements for all Links option enabled as well.

venkatesh_t2411 · April 21, 2023, 3:05pm

Hi Brian,

Thank you for the reply. I tried IR task with below option already and it didn’t work. The role entitlements are available in Identity exception entitlements, but role is not detected.

Options enabled:
Refresh Identity Entitlements for all Links
Refresh assigned, detected roles and promote additional entitlements
Provision assignments
Refresh role metadata for each identity

I also checked the role type definition (detection options) and it has the following option unchecked. So in my mind the IR task should detect the role.

Role Type definition option unchecked:
No automatic detection with profiles
No automatic detection with profiles unless assigned

brian_weigel · April 24, 2023, 3:24pm

Can you share screenshots or XML of the custom role definition/config, as well as the XML of the role in question that is not being correctly detected?

mike818148 · May 5, 2023, 10:09am

Hello @venkatesh_t2411,

hum… just a comment, probably the identity is not marked to be refresh. Maybe try make some changes on the account to make sure identity is marded needsRefresh after account aggregation.

venkatesh_t2411 · May 18, 2023, 3:37pm

Hi everyone, we identified the issue is due to case sensitivity. The Entitlement details in role is in all upper case whereas in target we have it as lower case. I didn’t expect SailPoint to consider the case for detecting roles. Maybe this be created as an idea for future release to make it case insensitive. LDAP considers both cases as same entitlement.

brian_weigel · May 18, 2023, 6:50pm

I believe there’s setting in your Application config to set it as case-insensitive (defaults to true (unchecked)).

Topic		Replies	Views
Role not get assigned or triggered for the identity! ISC Discussion and Questions webservice-connector , identity-security-cloud , provisioning , entitlements	3	159	April 12, 2024
Does IDN detect roles like IIQ? ISC Discussion and Questions identity-security-cloud , roles	4	259	December 31, 2023
How to enable "Provision Assignments refresh option" IIQ Discussion and Questions identityiq , provisioning	9	357	December 8, 2023
Old entitlements are added back after Refresh IIQ Discussion and Questions identityiq	3	1248	August 8, 2023
Delimited application, remove request for one of the entitlement in the IT Role IIQ Discussion and Questions identityiq , roles	4	359	January 16, 2024

IT Roles are not detected

Related Topics