I’m facing an issue in my SailPoint IdentityNow environment and would appreciate any guidance or best practices.
Here’s the situation:
When I execute a Disable operation on a user account, the process correctly disables the account in the Users table.
It also removes access from the assigned_roles table, which is expected, as the user should no longer have any active entitlements.
However, after this operation, SailPoint automatically triggers an Identity Refresh.
During the refresh, it reapplies the previously requested access (originally requested via Access Request using an Entitlement).
This results in the disabled account receiving access again, which defeats the purpose of the disable operation.
Question:
How can I prevent IdentityNow from reapplying access (specifically entitlements requested through Access Requests) to an account that has already been disabled?
Is there a recommended configuration, policy, or rule that can be used to block or suppress entitlement reapplication in this scenario?
Totally Understand your trouble ! Entitlements granted through sailpoint are sticky . Even if they are removed on the application , they will re-provision if they are assigned through request centre and not revoked through [certifications , revoke api call , entitlement-identity revoke ] .
You can implement a workflow as workaround :
User LCS inactve → remove all standing access via API’s.
The following is a full fledge workflow :
