Which IIQ version are you inquiring about?
Version 8.3
Share all details related to your problem, including any error messages you may have received.
We are using the default IIQ role types (business + it) with added entitlements.
If we change the content of a role and ADD or REMOVE some it roles or entitlements, the target system contains not always the expected permissions.
1. Example - Ok
- IT Role: “Dummy-Role”; Contains entitlements: “A”, “B”, “C”
- We ADD some entitlements: “D”, “E”
- Result in target system/application for related identities is: “A”, “B”, “C”, “D”, “E”
- Thats ok.
2. Example - Fail
- IT Role: “Dummy-Role”; Contains entitlements: “A”, “B”, “C”
- We REMOVE some entitlements: “A”, “B”
- We ADD some entitlements: “D”, “E”
- Result in target application for related identities is: “A”, “B”, “C”, “D”, “E”
- Thats a fail.
- The identity contains now an assignment for “Dummy-Role” (over a business role).
- And additional assignments for the removed entitlements “A” + “B”.
- IIQ does not change the permissions in target applications, as expected to: “C”, “D”, “E”.
The behavior was observed with the “Oracle Database - Direct” connector.
Question for failing example
Is this a common behavior of IIQ and we must maintain all identities manuell?
thx 
