Hi everyone,
I’m currently investigating an issue where manually assigned roles in SAP CUA are being removed when SailPoint attempts to provision a new role or remove an existing one.
It appears that the connector maintains a list of currently assigned roles in the multivalued ‘Role Details’ attribute. When IdentityIQ initiates a provisioning action, it uses this list to construct a new one—combining the role to be added with the roles it believes are already assigned. If a role was manually assigned directly in SAP CUA, it will only be reflected in SailPoint after an account aggregation has taken place.
The issue arises when a role is manually added in SAP CUA but hasn’t yet been aggregated. In such cases, that role gets removed during the next provisioning event.
Yes, we’re aware that direct changes in the application should be avoided—and we’re actively working on that—but for now, there are still a few scenarios where roles may be assigned outside of SailPoint.
Is there a way to trigger an account aggregation for a single user before provisioning takes place? Or even better: shouldn’t the connector retrieve the current roles from the source system just before updating them?
I’d like to hear your thoughts!
Kind regards,
Pieter de Loos