Re-provisioning occurring for removed roles for SAP GRC application

Which IIQ version are you inquiring about?

8.4p1

Please share any images or screenshots, if relevant.

image1288×378 14 KB

image805×487 11.4 KB

Please share any other relevant files that may be required (for example, logs).

Please find below correlation configuration and account schema customization rule for SAP GRC application

import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import sailpoint.tools.Util;
import sailpoint.object.ResourceObject;

Logger log = Logger.getLogger(“CCEP SAP GRC Schema Customization”);
log.setLevel(Level.DEBUG);
if(object!=null) {
String objType = object.getObjectType();
if(Util.isNotNullOrEmpty(objType) && “account”.equals(objType)) {
String accountName = object.getIdentity();
String errorMessage = null;
String appConnName = application.getConnector();
String applicationName = application.getName();
if(Util.isNotNullOrEmpty(accountName) && Util.isNotNullOrEmpty(appConnName) && Util.isNotNullOrEmpty(applicationName)) {
if (null == connector) {
errorMessage = “Failed to construct an instance of connector [” + appConnName + “]”;
return errorMessage;
}
ResourceObject rObj = null;
try {
rObj = (ResourceObject) connector.getObject(“account”, accountName, null);
} catch (sailpoint.connector.ObjectNotFoundException onfe) {
errorMessage = “Connector could not find account: [” + accountName + “]”;
errorMessage += " in application  [" + applicationName + “]”;
log.error(errorMessage);
log.error(onfe);
return errorMessage;
}
if (null == rObj) {
errorMessage = "ERROR: Could not get ResourceObject for account: " + accountName;
log.error(errorMessage);
return errorMessage;
}
List roles = (List) rObj.getAttribute(“Roles”);
if(roles!=null) {
object.put(“Roles”, roles);
}
}
}
return object;
}

Share all details about your problem, including any error messages you may have received.

We are facing an issue where a role removed from SAP GRC is automatically re-assigned later via background provisioning.

Scenario:

• Role CIMPROD/TPM_Regional_Sales_Director_SE00 was removed successfully.

• Confirmed removed in SAP GRC.

• SailPoint identity shows no such entitlement.

• No Business Role / IT Role / Birthright involved.

Later during scheduled tasks (nightly), the role is re-added automatically.

Customization

There is a Schema Customization rule on the account schema that calls:

rObj = connector.getObject("account", accountName, null);
List roles = (List) rObj.getAttribute("Roles");
object.put("Roles", roles);

1. Can this double-fetch in Schema Customization cause entitlement instability and trigger Provisioning Expansion during Identity Refresh?
2. Has anyone seen similar behavior with SAP GRC AM connector?

when you said role was removed, at Sailpoint end, also did you see the business role removed from the user profile.

If business role still exists and then is identity refresh task with provision assignment checkmark, it will try to provision again.

Once the role is assigned to the user, in entitlement what do you see source as , what is the granted by flag??

Hi @kchengalvarayan ,

How this entitlement was removed?

And could you please confirm that this use case is related to business roles or not.

When you say Role, assuming it is schema entitlement attribute (“Role“), or is this entitlement linked with some business role or IT role.

Please elaborate

@kchengalvarayan this is likely due to AttributeAssignment (sticky entitlements). When access is provisioned through IIQ, it stores an AttributeAssignment on the identity. If the role is removed directly in SAP GRC (not through IIQ), the assignment record stays — so on the next identity refresh with “Provision Assignments” enabled, IIQ re-provisions it.
Check Debug → Identity → Preferences for that user and look for an AttributeAssignment entry for that role. If it’s there, that’s your cause. The fix is to revoke through IIQ so it clears the assignment, not directly in SAP GRC.

@kchengalvarayan Please confirm how are you removing the entitlements? Also, validate if attributeAssignment is being cleared properly. In case you are managing entitlements outside IIQ, you might want to disable setting attribute assignment in your LCM workflow by modifying the plan and set the attributeAssignment as false in the attribute request.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(,, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.