I am working with Salesforce connector. I requested Role-Create and Profile-Create for a user who does not have any account, SailPoint provisioned a new account and everything worked file. Later on I have changed to Role-Update & Profile-Update vis User Access Management (Access request) quick link. SailPoint provisions the Role-Update & Profile-Update intailly, once I refresh then it put the Role-Create and Profile-Create back.
Here is the screen shot for your reference and wondering why shows both with warnings:
This is a side effect of Attribute Assignment (also called sticky entitlements) and an Identity Refresh with Provision assignments enabled. Attribute Assignments are added to an identity to track entitlements that have been assigned to them, typically from an access request. Attribute Assignments can be viewed on an identity in debug under the Preferences object.
The issue with Salesforce and entitlement attributes like Profile is that they are single-valued entitlement attributes. Once one profile is already assigned, and another is requested and assigned, an ugly cycle begins every time that identity is refreshed because it wants to fulfill the missing attribute assignment, so it provisions one profile, in turn removing the other profile in Salesforce and this continues to happen over and over until the Attribute Assignment is removed. It is similar to how access that does not exist on a cube that is granted via a role will be re-provisioned over and over again until the role requirements are met.
This is a non-issue for applications with multi-valued entitlement attributes (i.e. Active Directory memberOf). A simple workaround is to remove the assignment parameter for the AttributeRequests in your LCM Provisioning workflow, but this can also have a negative effect if you rely on AttributeAssignment to re-provision access that may have been removed natively in a downstream application or provisioning that has failed initially due to a bad connection, etc.
):