Currently I do some testings on whats happen, if an entitlement is no longer available.
The jdbc connector builds with a GroupAggregation-Task the entitlement catalog - okay.
And if the group is no longer available, the entitlements gets deleted by IIQ from catalog.
(Option âDetect deleted account groupsâ must acticated in GroupAggregation-Task.)
But the orphan entilements are still included in IIQ roles and assigned to the identities.
How does IIQ sync there role/entitlement- and identity/entitlement-assignments?
Here is the hyperlink to the SailPoint IdentityIQ documentation to manage uncorrelated accounts: Manage Uncorrelated Accounts - SailPoint IdentityIQ Documentation
Please refer to this document for comprehensive guidance on effectively managing uncorrelated accounts within the SailPoint IdentityIQ platform.
Propagate role changes task will help in removing the roles from the identity cube if the role/entitlement has been deleted from the role. But in this scenario explained by @chriskk, the role composition is not modified. The entitlement that was present in the role has now become invalid as it is now not present in the entitlement catalogue. We have to delete the entitlement manually from the IT role and then go forward with the role propagation task.
In my opinion, IIQ should help to automate this behavior
If I really need to watch these changes manually:
How can IIQ help me to collect this information (e.g. a list of deleted entitlements) and send this to some people so they can react?
Currently is there only an option/flag in GroupAggregation.
We have the exact same problem.
I consider this a bug of IIQ (v8.3).
Support said this is an âideaâ for improvement.
So I wrote a bug report as an idea: https://ideas.sailpoint.com/ideas/IIQ-I-1169
Please vote and comment on this.
I try to rephrase the bug/problem as clear as possible:
business role b contains it role i
it role i contains entitlement e.
entitlement e gets deleted in app, so it is no longer valid
group aggregation with delete option on deletes entitlement e from the entilement catalog, but:
it role i references entitlement e nevertheless.
If we assign business roles to identities, they get assigned it roles, which leed to assignment of entitlements, which generates errors and stacktraces and stop the provisioning as soon as it reaches the first invalid entitlement.
There is no job to automatically detect invalid entitlements and delete them from it roles.
It is expected to manually discover invalid entitlements and manually delete invalid entitlements from it roles.
Iâm currently writing a tool to clean it roles, which I would expect to be included in the IIQ product.
Currently I am able to detect all invalid entitlements in it roles and log that (as of today).
I have problems finding the correct way to delete those entitlements from it roles.
Pointers to code for that are welcome.
