RBAC Role Assignment Issues After SailPoint 8.5 Upgrade (Assignment ID / Revocation Behavior)

Following our recent upgrade to SailPoint 8.5 P1, we are observing unexpected RBAC behavior. As part of the upgrade, we commented the RoleAssignmentModelUpgrader in upgrade.xml based on vendor guidance:

Current RBAC Model

We are using an RBAC model where:

  • Business Roles contain permitted IT Roles
  • IT roles are reflected on users as:
    • Hard Permitted Roles → Explicitly assigned via Business Role
    • Soft Permitted Roles → Inferred because the user already has access, and the access matches a permitted role defined in the Business Role

Key Issues Observed:

1. Revocation Issue for Soft Permitted Roles

  • Soft permitted IT roles without an assignmentId cannot be removed from users.
  • Question:
    • Is it mandatory for a permitted IT role to have an associated assignment (assignmentId) in order to allow revocation?
  • Observation:
    • This restriction was not present in version 8.4.

2. Missing Assignment Population

  • We observe many users where:
    • IT roles are soft permitted
    • But no assignment exists, despite the role being part of a Business Role assigned to the user.
  • Question:
    • Why are assignments not automatically created during refresh execution?
    • Should the **Identity Refresh ** process populate these assignments?

Note: For new users or new requests, this issue not there, this issue is there espcially for existing users.

3. Data Inconsistency & Remediation Concern

We currently have ~5,000 records where:

  • IT roles are present (via aggregation)
  • But no assignments exist
  • Even though:
    • The corresponding Business Roles are assigned
    • And those Business Roles include the IT roles as permitted roles

Concern:

  • This inconsistency is leading to:
    • Revocation failures
    • Mismatch in role governance behavior

Hi @ramireddy

Can you please share some screenshots for this issue. It makes us easier to understand the exact issue of your environment.

Hi @ramireddy,

Could you please share the details of one affected user (Identity XML or screenshots of the assigned Business Role, permitted IT Role, and assignments section)? Also, if you have any relevant provisioning logs showing the issue, please share those as well.

@ramireddy

  1. AFAIK assignmentiid is needed to make sure when business roles are removed it should remove underlying permitted roles as well.

  2. What all options you are keeping in your identity refresh? You should have “Refresh assigned or detected…” and “Provision Assignments”.

  3. Have you validated if these 5000 records only created after upgrade? or it was already there but you noticed it after upgrade.