Question about IIQ Role Management

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

We are using the default IIQ role types (business + it) with added entitlements.

If we change the content of a role and ADD or REMOVE some it roles or entitlements, the target system contains not always the expected permissions.

1. Example - Ok

  • IT Role: “Dummy-Role”; Contains entitlements: “A”, “B”, “C”
  • We ADD some entitlements: “D”, “E”
  • Result in target system/application for related identities is: “A”, “B”, “C”, “D”, “E”
  • Thats ok.

2. Example - Fail

  • IT Role: “Dummy-Role”; Contains entitlements: “A”, “B”, “C”
  • We REMOVE some entitlements: “A”, “B”
  • We ADD some entitlements: “D”, “E”
  • Result in target application for related identities is: “A”, “B”, “C”, “D”, “E”
  • Thats a fail.
  • The identity contains now an assignment for “Dummy-Role” (over a business role).
  • And additional assignments for the removed entitlements “A” + “B”.
  • IIQ does not change the permissions in target applications, as expected to: “C”, “D”, “E”.

The behavior was observed with the “Oracle Database - Direct” connector.

Question for failing example
Is this a common behavior of IIQ and we must maintain all identities manuell?

thx :slight_smile:

Hi Chris,
2 questions -

  1. Did you run role changes propagation task?
  2. Do you have any of this checkboxes selected?

No, currently i have only started the “identity refresh task”.
I will test it and give feedback, thanks for idea.

Tanks, the task works as expected and is removing the deprecated entitlements. :+1:

But there are no options, like in your screen.
Is this depending on IIQ version?

This is the task, what i have used (IIQ 8.3):

1 Like

Great - good it works, this options are not in the task - they are in global settings for roles.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.