Native Change is not working for multiple transaction

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

8.4

Share all details about your problem, including any error messages you may have received.

NCD is not working for below scenario,

Target: Active Directory

Old Access: ADGroup1, ADGroup2

New Access: AD Group1, ADGroup3

Removed ADGroup2 and added ADGroup3. It is not creating NCD triggersnapshot after aggregation.

Below Scenarios are Working

  • Adding Single/Multi Group
  • Removing Single/Multi Group

Note: OTB objects used for Event, Workflow. No Error messages

2

hi @sagar_hande

This is actually expected behavior in IIQ 8.4.

When a group is removed and another is added in the same aggregation cycle, NCD doesn’t create a TriggerSnapshot. NCD reliably fires when there’s only an add or only a remove, but combined add+remove changes often get treated as a single state update and are missed by OOTB NCD logic.

That’s why:

  • :white_check_mark: Only add works

  • :white_check_mark: Only remove works

  • :cross_mark: Remove + add together doesn’t trigger NCD

Since you’re using OOTB event/workflow and there are no errors, this is more a product limitation than a configuration issue.

A common workaround is to rely on Identity Refresh–based detection or add custom logic to compare previous vs current entitlements.

Hope this helps!

3

Thanks @haideralishaik what do you mean by identity Refresh–based detection?

4

By Identity Refresh–based detection, I mean relying on Identity Refresh to spot access changes instead of NCD events.

During an Identity Refresh, IIQ:

  • Re‑calculates the identity

  • Compares the previous entitlements vs current entitlements

  • Updates the identity cube accordingly

So even if NCD doesn’t fire (for example when a group is removed and another is added together), the Identity Refresh will still detect that ADGroup2 was removed and ADGroup3 was added, because it looks at the full before/after state rather than individual native change events.

In short:

  • NCD = reacts to native delta events (can miss add+remove together)

  • Identity Refresh = compares old vs new access and catches the net change

That’s why Identity Refresh is often used as a fallback for these scenarios.

Hope that clarifies it! :+1:

5

Thanks for clarification @haideralishaik

6

@sagar_hande I just tested this in my sandbox for PRISM application. i removed a group and added a new group and both are being captured properly. Please see the screenshot attached.

Do you have any customization specific to AD Account Aggregation? Is it possible for you to share the app xml and identity xml on which you make the change.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(:heart:,:+1:, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.

image
image2262×480 69.6 KB

7

Native Change Detection is working for add+remove as well. I just tested this. attached the screenshot in the above comment. It captures both: add and remove groups.

8

@sagar_hande - Make sure in your NCD configuration for AD you have Modify selected.