Hello SailPoint Community,
I have a question regarding the behavior of single-value entitlement schemas in SailPoint Identity Security Cloud.
Scenario:
-
Source account schema and entitlement schema are both defined as single-value attributes.
-
Account A currently has Entitlement 1 assigned.
-
A request is made to assign Entitlement 2 to the same account.
-
Each entitlement is linked 1-to-1 with an Access Profile.
Questions:
-
In this case, does SailPoint treat the request as a replacement, meaning Entitlement 1 is removed and Entitlement 2 is added?
-
After Entitlement 2 is successfully provisioned, will Identity Refresh keep it stable, or could there be repeated provisioning attempts (e.g., flipping between Entitlement 1 and Entitlement 2) depending on how the source reports the entitlements?
-
Since the structure is 1 entitlement = 1 access profile, when Identity Refresh runs, does SailPoint try to replace the access profile (switching back and forth), or is the new assignment considered stable and fixed?
-
Is there any official documentation or best practice that explains how ISC handles single-value entitlement assignment in this scenario?
I would appreciate any clarification or reference to documentation.
- Replacement Behavior (Entitlement Switch)
- Repeated Flipping (Back-and-Forth Changes)
- Dual Assignment Attempt (Error Case)
- Access Profile Stable Assignment
- Other (Please share your experience)
Thanks in advance!
