Share all details about your problem, including any error messages you may have received.
We have a requirement to not show the IT roles which are not assigned through the business role, achieve this we are exploring this option. As per documentation
if the it role is not assigned through the business role should not detect on identity but when we are enabling this option its not detecting the IT Roles which are assigned through the business role. No IT roles detection at all. is there something i am missing here?
Note: This is the upgraded environment to 8.4 from previous versions. when we tried this in vanilla 8.4 it working as expected.
My requirement is, if the detected it role is part of any assigned role only then it should be detect on the identity.
e.g
Business role 1 : match condition location is India (Matching)
IT role 1 : Application XYZ >> Entitlement ABC
Business role 2 : match condition location is UK (Not matching)
IT role 2 : Application XYZ >> Entitlement EFG (Here user gets this entitlement directly on the target system)
So the final picture on identity is
Business role 1 : assigned
IT role 1 : Detected
IT role 2 : Detected
So my use case is that i don’t want to show the detected IT role 2 on the identity since its not assigned through any business role (matching condition).
I am exploring this option to achieve this but some how its not working in our environment.
@shirbhatea I quickly tested this behaviour in Sandbox with option: “No automatic detection with profiles unless assigned”. When entitlement is assigned outside, it is not coming as detected while if any role is requested from IIQ, it is showing both assigned and detected roles as expected.
Possibly some other setting is causing the issue. Could you please share the role xml. Debug → ObjectConfig → Bundle.
Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(,, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
Yep, as i said its working as expected in vanilla version. But ours one is upgraded.
<RoleTypeDefinition displayName="IT" icon="itIcon" name="it" noAssignmentSelector="true" noAutoAssignment="true" noIIQ="true" noManualAssignment="true" noPermits="true" noRequirements="true">
<Description>Defines a collection of IT entitlements which can be associated with Business Roles to provide users with specific access rights. IT Roles can be constrained to entitlements within a single application or expanded to include entitlements across applications.</Description>
<RequiredRights>
<Reference class="sailpoint.object.SPRight" id="0a2deca678ad178b8178ad4a3d5a0040" name="ManageITRoles"/>
</RequiredRights>
</RoleTypeDefinition>
<RoleTypeDefinition displayName="IT" icon="itIcon" name="it" noAssignmentSelector="true" noAutoAssignment="true" noDetectionUnlessAssigned="true" noIIQ="true" noManualAssignment="true" noPermits="true" noRequirements="true">
<Description>Defines a collection of IT entitlements which can be associated with Business Roles to provide users with specific access rights. IT Roles can be constrained to entitlements within a single application or expanded to include entitlements across applications.</Description>
<RequiredRights>
<Reference class="sailpoint.object.SPRight" id="0a2deca678ad178b8178ad4a3d5a0040" name="ManageITRoles"/>
</RequiredRights>
</RoleTypeDefinition>
@shirbhatea Have you tested this with a fresh assignment? And how are these roles assigned? Seems they are assigned using an assignment rule in the roles.
The fix is to run a full Identity Refresh task with the option “Refresh assigned, detected roles and promote attributes” checked after saving the RoleTypeDefinition change. This forces IIQ to re-evaluate role assignments using the new type definition flags and correctly re-populate the assigned/detected state on identities. If the issue persists after a full refresh, check the Bundle.assigned flag in the IdentityEntitlement table — in some upgrade paths, old role assignment records may need to be reprocessed via a targeted identity refresh or a Perform Maintenance task.
Apologies for delay in response, was pulled in other stuff.
I have tried that but was not able to find the flag in table. As you can see this test user has the 5 business role and there should be 5 detected role after updating roledefinition but it is showing only business roles.
Hi @shirbhatea, I believe this is expected behavior. When role “No automatic detection with profiles unless assigned” is selected, SailPoint will not show role detection. It will only show roles as assigned.
