Share all details about your problem, including any error messages you may have received.
Hi All
I had a business role with a population as assignment rule. As a result, 400 or so identities have the role and have the IT role which assigns a group membership.
I removed the population as assignment rule and I see users don’t have the business role anymore.
I was expecting the group membership to be removed as well. But that’s not the case.
Is this the expected behavior or something else is in play?
Do you have the provisioning options enabled in IIQ?
Are these IT roles part of any other business roles?
After removing did you try running role change propagation task?
I hope you have made the changes in role composition through UI. One way is to refresh all the users who have this role. Make sure that you have selected the option below while running the Refresh Identity Cube task:
Refresh assigned, detected roles and promote additional entitlements
2nd Way is to Launch the Role Propagation Task:
To enable this, first of all, you need to go to Global Settings → IdentityIQ Configuration.
Navigate to the Roles tab and check the box for the option below:
Allow propagation of role changes.
Once it is done. You need to run the Role Propagation Task from Setup –> Tasks page.
Note: If Role Propagation is not enabled and you have made your changes, then in this case, you need to use the first approach to resolve the issue you are experiencing.
Turned out I did not have “Disable deprovisioning of deassigned roles” set in my refresh task. With this option on, the underlying entitlements are removed as well.
Interestingly, changing the “Assignment Rule” for a business role does not generate a “RoleChangeEvent”