One specific role keeps being provisioned and deprovisioned

Hi all. I´m seeing some strange behavior on one specific role. It keeps getting provisioned and deprovisoned and I can´t figure out why. It´s based on lifecycle criteria so as long as the identity is active and the identity is linked to the identity profile it should not be removed.


What am I missing? This does not happen with any other roles.

Thought I´d check out this awesome community before I raise a ticket.

Br,
Jarle

Hi @jarlem,

The Domain users is a default AD group to which a user becomes a member of when an AD account is created. User remains a member of the group as long as the account exists in AD.

You role condition might be trying to remove the user from the group and since it cannot be actually removed, it could be showing up as added back.

Would like to take a look at how the role is configured. Also the Identity profile configuration, if that is adding and removing the access profiles.

Hey @jarlem ,

Please check if the user has two conflicting roles and if there is any Role SOD policy in place? Also, are you using any custom workflow for provisioning?

Hi guys. Thanks for your replies. No access profiles is granted via provisioning on the identity profiles. The role is configured as follows (removed the owner block):


    "entitlements": [],
    "accessProfiles": [
        {
            "id": "f4f95edca549460982b5883857b528c1",
            "type": "ACCESS_PROFILE",
            "name": "Common Access AD"
        }
    ],
    "membership": {
        "type": "STANDARD",
        "criteria": {
            "operation": "OR",
            "key": null,
            "stringValue": null,
            "children": [
                {
                    "operation": "EQUALS",
                    "key": {
                        "type": "IDENTITY",
                        "property": "attribute.cloudLifecycleState",
                        "sourceId": null
                    },
                    "stringValue": "active",
                    "children": null
                },
                {
                    "operation": "EQUALS",
                    "key": {
                        "type": "IDENTITY",
                        "property": "attribute.cloudLifecycleState",
                        "sourceId": null
                    },
                    "stringValue": "provisioned",
                    "children": null
                }
            ]
        },
        "identities": null
    },
    "legacyMembershipInfo": null,
    "enabled": true,
    "requestable": false,
    "accessRequestConfig": {
        "commentsRequired": null,
        "denialCommentsRequired": null,
        "approvalSchemes": []
    },
    "revocationRequestConfig": {
        "approvalSchemes": []
    },
    "segments": [],
    "dimensional": null,
    "dimensionRefs": null
}

Also no SOD policy in place for this entitlement. Currently only 3 workflows in place. Two of them are just sending emails when accounts are created directly on a source and/or when entitlements are added directly on a source. The 3rd one are disabling accounts when LCS = inactive.

Br,
Jarle

Hi @jarlem,

Looking back at your screenshot again, I don’t see logs for Role removal or addition. Does the role actually get removed from the user page.?

Is Domain users, the only entitlement in the access profile.? If so, removal and addition of the entitlement/AD group directly can also show up as Access profile add and remove items in the logs. Are the timings on the logs the same time as of your aggregation.?

The Role condition may not be the real problem here. You may need to look at what’s happening in AD to this group assignment and also if some other IDN or external process is trying to remove the user from the AD group.

I actually only see add operations on the identity. Not remove. But access history says remove as well

Hey @jarlem,

Can you verify if the “Domain Users” group is being included during the account aggregation process? I assume “Domain Users” is your primary group. Additionally, please check if the primaryGroupDN attribute is populated.

Does this Add operation’s timing match with the timing on the Access history.? And does this add operation keep repeating as well.?

Even if the access is removed outside of IDN, it will show up in the Access history. It could mean that some external process or activity could be removing the user access and IDN is adding it back.

Hi Jesvin. Yes, the add operation keeps repeating. I´ve asked the customer to look into logs on AD to see what happens there. I can´t find any provisioning plan that removes this profile. I only find add.

Br,
Jarle

Hi Jarle,

Thank you for sharing the details with us. In addition to the provided information, can you please confirm if you see only access profile removal event or does the role containing the access profile also get removed and added back?

I believe you can see the role removal event on the access history page itself or you can also check the account activity for the affected identity.

Thank You.

Hi Vikas

On access history I see both add and removal. On account activity on the identity I only see add, which in theory should mean that there must some external process that messes things up?

Br,
Jarle

Hi Jarle,

Thank you for the confirmation. If the role removal is also taking place, can you please check in case the user’s lifecyclestate is not getting changed during the identity refresh. So lets say user initially was in provisioned state and then before going to active state, there is another cloudlifecycle state where the user gets into or vice versa. This could also create the role removal event and then immediately add it back once users gets added into provisioned state or active state.

Do you see any events for the identity something like identity state changed ?

Thank you.
Regards
Vikas.

Hi Vikas,

LCS does not change. I´ve asked the customer to retrive logs from the AD side to see if we can find some more clues there to why this is happening.

Br,
Jarle

1 Like

Hi Jarle

Thank you for the confirmation regarding the LCS change. Did you also try to run the single account aggregation for the affected user for AD source, can you please check when you run the aggregation, does the access profile gets removed and added back ?

Thank you

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.