Replace existing Role with a new Role for an identity using Update endpoint for Webservices connector. Role is assigned through standard criteria

Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

I have a role say Role1 tied to an access profile which has 2 entitlements attached to it. I defined the criteria for Role1 such that it should get assigned to the user matching the employee number defined.

image1798×1083 45.1 KB

I applied the changes and after the identity refresh process, Role1 is showing under that user access and I verified that he got added to the Target system correctly. Create account operation type was triggered.

image2097×247 18.4 KB

I am now wanting to replace Role1 with a Role2(Transfer scenario). I removed that criteria I defined earlier from the Role 1. Defined same criteria under Role2. Applied changes. Identity refresh ran and I did not see any changes to that identity. Did not show any events for my source under the identity. I see Role1 is still assigned to the user. Do not see Role 2 added both in Identity Now as well as Target system.

When I tried this through request center, I see that Role2 is getting appended to the users access and still showing Role1 in the target system(I see Role1 and Role2 under user access at this point). When I manually revoke Role1 and run Aggregation, Role2 is immediately reflecting in the Target system.

→My Target system does not remove entitlements instead it replaces with new values for update.

→Incase of delete, it is a soft delete, entitlements are still assigned to the user but the status is passed in the request as “Deleted”.

I have Update Account, Add entitlement, Add entitlement-1 defined under HTTP operations for MODIFY and Remove Entitlement, Remove Entitlement-1 defined for DEPROVISIONING. (I have 2 entitlement types so using web service before operation rule to pass those 2 entitlement types, alter the request body and create new JSON body before hitting the endpoint).

Why am I not seeing removal of Role1 and addition of Role2 for that user? Why don’t I see any event changes even after Role1 and Role2 criteria changed? Appreciate any assistance/inputs on this please.

You need to keep two things in consideration:

1. Which roles are assigned
2. How those assigned / removed roles are provisioned to the application.

When you say you updated role 1 and role 2, you removed the criteria from Role 1? What is the exact use case? You can always try / test this scenario with an empty role, just to check the role assignment / removal is working as you expect.

2. When a role is assigned and/or revoked, how does your setup deal with that scenario. Are there the proper operations under your HTTP operations (I see that you did, but perhaps it’s not using the proper endpoints)?

hi @ravulasravya ,

For the Role1 where you removed the assignment criteria you should be doing this way as per the SailPoint documentation to properly get the role removed. You should change the criteria which does not match to your identities and do identity processing. This way your Role1 will be removed. See the documentation for more details

• For auto-provisioned roles, change the role’s assignment criteria so users do not meet it and let identity processing revoke the old role from the users.