Retaining the Previous entitlements

Hi Team,

Any idea why it is retaining the previously requested entitlements when I request using Manage Access → Manage User Access Quick link.

I am using Web service connector and my entitlements are combined with the account itself, in fact I don’t need a separate add or remove entitlement methods. I know we can use createAccountWithEntReq = true to combine during the creation, how to handle the same in case of update, strangely it is keeping all the previous one instead of overwriting the existing value.

I am not using any roles for my testing.

I really appreciate if you could suggest me a way or what I am doing wrong.

Thanks

Hi @venus,

This is due to the Attribute Assignment (Sticky entitlements) in the identity Cube. Attribute Assignments are added to an identity to track entitlements that have been assigned to them, typically from an access request. It can be viewed on the Identity via debug page. Whenever a user is provisioned via Access Request (LCM) this sticky attribute is added to the identity. This will be part of the provisioning plan under attributes as assignment = true. Refreshing the identity will retry provisioning of missing entitlements and accounts. Removing the sticky attribute from Identity cube will fix the issue. The ideal way will be via a remove request instead of direct update of identity cube.

There is a session by @brian_weigel on how to remove these Attribute Assignments. Ungluing Sticky AttributeAssignments

Let’s assume I have a user who has been assigned with Team1 currently and I wanted to replace with Team2 instead of adding another team. What is the process or configs I will have to do in SailPoint? Please note this is not a multiple valued attribute, just hold a single value. Is Ungluing sticky Attribute Assignment only the workaround?

I can think few ways to get work around and some might not be very efficient.

  1. Trying adding remove request in the Provisioning plan via BeforeProvisioningRule for the old entitlement whenever user raises request for new one. (This will be my preferred approach).

  2. The attribute assignment = true under the arguments in the Provisiong plan is actually setting the attribute assignment on the identity. Try modifying the plan in BeforeProvisioning rule to remove the assignment =true when user is assigned with an entitlement.

  3. The third one will be to have customization rule which will scan the identities for attribute assignment and remove them. This might not be efficient especially if ithe application is having a large number of users

1 Like

Thanks James, I will try first approach.

Hello @venus, Just emphasising on Jarin’s approach.

After having to go through a lot of nightmares because of sticky entitlements, I would just want to highlight that the “Attribute Assignment” tag will only be removed if SailPoint thinks that the previous entitlement (which is going to be replaced) has been removed through SailPoint (as the request to add that entitlement was made through SailPoint) hence, you have to add a remove entitlement (the old one) attribute request in the provisioning plan instead of removing it any other way. I know Jarin’s point made that very clear but just wanted to highlight that as we had to learn it the hard way :smiley:

1 Like

Thank you, both. I was able to achieve via pre-provisioning rule with below code

AttributeRequest removeReq = new AttributeRequest();
removeReq.setName(securityTeam);
removeReq.setOperation(ProvisioningPlan.Operation.Remove);
removeReq.put(assignment, true);
removeReq.setValue("Old value from Link);
1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.