Revoke in Access Review

rm_sailpoint · December 11, 2024, 6:34pm

Which IIQ version are you inquiring about?

8.3

Please share any images or screenshots, if relevant.

Share all details about your problem, including any error messages you may have received.

Hello!

I’m having some issues with automated access removal after a revoke decision in access reviews. We currently have this option in use for LDAP logical applications, using the Logical connector.

For accesses requested through SailPoint, they can be removed by the certification but are re-provisioned when as soon as the user is refreshed.

After being removed, if you access the entitlements page of the user, you can see the accesses in LDAP with the warning “This entitlement does not exist on the account”, as presented in the picture above.

If you remove the access through the Access Request menu, it is correctly removed and is not re-provisioned.

How can I stop SailPoint from provisioning these accesses after they are revoked in a certification?

sunnyajmera · December 11, 2024, 9:26pm

Is that access part of any role that might be causing it to be provisioned? Have you checked the admin console to determine if it’s being triggered by an identity refresh or any other process?

Arpitha1 · December 12, 2024, 2:28am

Hi @rm_sailpoint

Run complete aggregation once and refresh identities.

rm_sailpoint · December 12, 2024, 3:01pm

Hi @Arpitha1,

I did, I ran the identity refresh after running the account import and the refresh logical accounts tasks. I’ve tried various combinations but regardless of the order I run these tasks in, the identity refresh always re-provisions the accesses.

rm_sailpoint · December 13, 2024, 9:21am

Hello @sunnyajmera,

The accesses in question are not a part of any role.

When they are re-provisioned, we get a log that says the source is the Identity Refresh

system · February 11, 2025, 9:21am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.