Following our recent upgrade to SailPoint 8.5 P1, we are observing unexpected RBAC behavior. As part of the upgrade, we commented the RoleAssignmentModelUpgrader in upgrade.xml based on vendor guidance:
Current RBAC Model
We are using an RBAC model where:
- Business Roles contain permitted IT Roles
- IT roles are reflected on users as:
- Hard Permitted Roles → Explicitly assigned via Business Role
- Soft Permitted Roles → Inferred because the user already has access, and the access matches a permitted role defined in the Business Role
Key Issues Observed:
1. Revocation Issue for Soft Permitted Roles
- Soft permitted IT roles without an
assignmentIdcannot be removed from users. - Question:
- Is it mandatory for a permitted IT role to have an associated assignment (assignmentId) in order to allow revocation?
- Observation:
- This restriction was not present in version 8.4.
2. Missing Assignment Population
- We observe many users where:
- IT roles are soft permitted
- But no assignment exists, despite the role being part of a Business Role assigned to the user.
- Question:
- Why are assignments not automatically created during refresh execution?
- Should the **Identity Refresh ** process populate these assignments?
Note: For new users or new requests, this issue not there, this issue is there espcially for existing users.
3. Data Inconsistency & Remediation Concern
We currently have ~5,000 records where:
- IT roles are present (via aggregation)
- But no assignments exist
- Even though:
- The corresponding Business Roles are assigned
- And those Business Roles include the IT roles as permitted roles
Concern:
- This inconsistency is leading to:
- Revocation failures
- Mismatch in role governance behavior