We have an custom role type created similar to IT role. In our env, This role can be directly requested and entitlements linked to the role will be provisioned. When user submits access request for this role, The flow works end to end perfectly fine. Now there are users with Role entitlements. The entitlements were assigned or provisioned directly in the target system. Now for these users, The role is not getting detected. We have identity refresh task with “Refresh assigned, detected roles and promote additional entitlements” option checked running everyday. What could be the reason for the role not getting detected even when all the entitlements associated to the role is assigned to the user?
Try running the refresh with the
Refresh Identity Entitlements for all Links option enabled as well.
Thank you for the reply. I tried IR task with below option already and it didn’t work. The role entitlements are available in Identity exception entitlements, but role is not detected.
Refresh Identity Entitlements for all Links
Refresh assigned, detected roles and promote additional entitlements
Refresh role metadata for each identity
I also checked the role type definition (detection options) and it has the following option unchecked. So in my mind the IR task should detect the role.
Role Type definition option unchecked:
No automatic detection with profiles
No automatic detection with profiles unless assigned
Can you share screenshots or XML of the custom role definition/config, as well as the XML of the role in question that is not being correctly detected?
hum… just a comment, probably the identity is not marked to be refresh. Maybe try make some changes on the account to make sure identity is marded needsRefresh after account aggregation.
Hi everyone, we identified the issue is due to case sensitivity. The Entitlement details in role is in all upper case whereas in target we have it as lower case. I didn’t expect SailPoint to consider the case for detecting roles. Maybe this be created as an idea for future release to make it case insensitive. LDAP considers both cases as same entitlement.
I believe there’s setting in your Application config to set it as case-insensitive (defaults to true (unchecked)).