“Revoke Assignment” from a role does not remove the entitlements.
Here are the steps:
Select the identity
Click on “access” from left menu and then select the role from the “roles” tab
Click on “Assignment“ from the left menu and then “Revoke Assignment“ button on top right
The event log shows the role revoked but the AD entitlements still exist. There’s also NO log that the entitlements were deprovisioned. A day later and there’s no change after refresh/aggregations
Alternatively, if role is granted via some criteria, you will have to change the role assignment criteria not to target that certain identity, and run the processing (which might not be convenient if you have more identities falling into the same criteria), as @mcheek is correct.
Per the docs: “Role Change Propagation provides the ability to configure ISC so that when access rights are removed from a Role definition, the corresponding access assignments are removed from users who have the Role assigned.“
But that’s not what my issue is: I’m not removing access from the role. I’m simply revoking the role but the AD entitlements are still present. There’s also, no event logs showing that ISC even tried to remove the AD entitlements
Also, per the docs: this indicates that a cert. campaign needs to remove the role? What about “Revoke Assignment“ (which is what I did)?
Forgot to mention that this issue is due to a naming issue with the role: The role needs to be deleted but we can’t afford down time. So I created another role with the same entitlements and provisioned access. So I’m thinking that since the 2nd role has the same entitlements ISC does not remove the first role’s entitlements
