Please share any other relevant files that may be required (for example, logs).
Task : Propagate Role Changes
Share all details about your problem, including any error messages you may have received.
Hello All,
While running the role propagation task, it is currently only processing roles that are configured as required roles and not considering permitted roles. As a result, entitlements assigned through permitted roles remain on the identity and are not being picked up by the task.
Has anyone encountered a similar issue? Any suggestions or potential solutions would be greatly appreciated.
Required roles are required for a role, hence the name. All required roles are given to the identity when the parent business role is assigned. Entitlement updates to the required roles are propagated to the identity.
Permitted roles are allowed, but not explicitly required. Identities are allowed to have/request these roles when the parent is assigned/requested. Entitlement updates to the permitted roles are only propagated when entitlements are assigned. Entitlement removals are not propagated.
Based on your use case, it seems you have entitlements removed from a permitted role. In that case, the entitlements remain associated to the identity even though they are no longer part of the role, even after an identity refresh or a role propagation task.
User has an assigned business role. A permitted IT role was requested for the user because of or during the business role assignment. New entitlements are added to the permitted IT role.
In 6.2+, this requested permitted role is marked as “hard permitted” so an Identity Refresh task with Provision Assignments selected provisions the new entitlements in the permitted IT role for the identity. The Propagate Role Changes Task will not do this provisioning because that task only applies to required roles.
User has an assigned business role. A permitted IT role was requested for the user because of or during the business role assignment. Entitlements are removed from the permitted IT role.
The entitlements remain associated to the identity even though they are no longer part of the role, even after an identity refresh or a role propagation task in 6.4+. Identity refresh does not remove entitlements based on role definitions and the role propagation task only operates on required IT roles. However, the entitlements are now “additional entitlements” and will be displayed and certified independently from any role association.
Thank you for the information and support provided. Could you please confirm if there is any possibility of customizing this to make it work, or suggest any alternative approach?
@nirmal_sharma Please specify if you have tried options provided by @robert-hails and which one helped you out. This’ll help fellow sailors having the similar issues.
As far as I know, the Propagate Role Changes task is designed to work only with required roles, so what you’re seeing is expected behavior. If you need the same functionality for permitted roles, there isn’t an out-of-the-box option.
As @robert-hails The practical approaches would be to either convert the permitted roles to required roles (if it aligns with your design) or implement a custom task/rule to identify identities with the affected permitted roles and handle the entitlement updates.