RapidSetup Leaver Negative Role Assignment

IdentityIQ (IIQ) IIQ Discussion and Questions
1

I put this on Compass and opened a ticket for a client but haven’t received a response yet, so trying here as well.

We have the RapidSetup Leaver configured to remove all assigned roles upon termination. This sets the negative="true" flag on all RoleAssignments associated with an identity (RapidSetup and Business role types).

The issue I am running in to is upon rehire (which is a non-rapidsetup workflow we developed since rapidsetup doesn’t have it’s own rehire event), the negative flag is sticking around on RoleAssignments which are tied to Business roles. RapidSetup Birthright roles that are to be re-assigned back during that rehire event are successfully given back to the identity with no negative flag, but the Business roles that someone should have re-assigned via an identity refresh with refresh roles/provision assignments is not happening because the negative flag is not removed.

Is this expected behavior? Is there something specific that we should be doing during rehire to make sure the negative flag is not retained on these business RoleAssignments? Ideally, the RapidSetup leaver would just remove the RoleAssignments rather than setting the negative flag and we would not be in this situation at all.

This is on 8.1p1.

2

I believe it is not expected behavior (might be a bug). I think there was even a similar bug reported for the Accelerator Pack, and the workaround was to use some custom Rule to clear out those negative RoleAssignments. See the latest Accelerator Pack release notes and look for IIQSR-446: https://community.sailpoint.com/t5/Accelerator-Pack/Accelerator-Pack-8-2p1/ta-p/202615

3

Thanks Paulo. This is exactly the response I was looking for. Unfortunately, I could not get this response in a support ticket :slight_smile:

Rather than fixing this during rehire, I just added a step in the RapidSetup Leaver workflow to set the negativeAssignment flag to false for any AttributeRequests for assignedRoles. This way, the provisioner just removes the RoleAssignment rather than leaving it with the negative flag.