Netsuite entitlement loss on identity refresh

Aggregated entitlements lost on Identity Refresh

1. Aggregation starts at 18:00

2. Added Administrator entitlement from Netsuite 6 minutes later.

3. Added entitlement 1155 from Netsuite

4. Added Access Profile NetSuite 1493

5. Added entitlement 1493 from Netsuite

6. 10 seconds goes by

7. Identity Refresh kicks off:

   1. 1. Status

      2. PASSED

      4. System

      6. Modify Account Passed

      7. 2025-10-07 (06:08:58 pm GMT-04:00)

      8. ---

      9. Additional Event Attributes

   2. 14642

   3. Null

   4. 699740548cf94f3b89ead47ed00d224a

   5. Netsuite

   6. Identity Refresh

   7. Netsuite

8. Removed entitlement 1155 from Netsuite

9. Removed entitlement 1493 from Netsuite

10. removed entitlement Administrator from Netsuite

11. Add Netsuite baseline role based on below criteria:

    

    image1405×537 22.1 KB

12. Removed access Profile 1493 (from netsuite)

13. 10 seconds goes by

    1. Identity refresh is triggered:

       ModifyAccount Event

    2. You are viewing event with id: 49eea3aba5245f17f1302808ba9dcd3da144e632d4eae52f70e340d7af8bb05e

    3. Status

    4. PASSED

    5. Actor

    6. System

    7. Target

    8. user account

    9. Name

    10. Modify Account Passed

    11. Created

    12. 2025-10-07 (06:09:08 pm GMT-04:00)

    13. ---

    14. Additional Event Attributes

    15. accountName

    16. 14642

    17. accountUuid

    18. Null

    19. appId

    20. 699740548cf94f3b89ead47ed00d224a

14. Removed Netsuite - baseline role

My thoughts:

From what I see on this account, giveaccess is false, so not sure why the role was evaluated to be added and then removed. I would assume it would have just not done the add for the role, unless the giveaccess has been changed since then. As the giveaccess is an account attribute I don’t know if there is a way to see when it was modified.

I also don’t know why source entitlements are not sticking. I’m not seeing anything in the connector documentation or the connector to enforce source entitlements.

Customer is needing the source to be authoritative on entitlements but also allow a certification revocation. There are minimal access profiles and roles. Majority of the entitlmenents being added are not associated to a profile or role.

Your right up is hard to read, so I am not sure if I am fully understanding your issue.

NetSuite will not allow a Role/Group to be added to an account if that account doesn’t have a password set. Generally if GiveAccess is false, the account likely doesn’t have a password set. We get around this by having an Update Provisioning Policy which checks to see if GiveAccess is false, and then adds the Password attribute (set to a random password) on the update Access Request.

This was resolved by removing a rule that Expert Services had implemented. I never saw the rule itself, but from my understanding it was evaluating the rule on every Identity Refresh. Once the rule was removed things have been working as previously designed.

It would be nice to have an audit trail of when a rule is run on an account / Identity.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.