Role Assignment Issue

LCM Managed Role assignment is not getting removed when the Role assignment criteria is changed/not matches, how to make this Role assignment non-sticky , even though I changed the source to Rule it does not get removed after the refresh. please advise.

Hi Saravanan, can you confirm that you’re looking at business roles, which are assigned via automatic assignment Rules defined in the role?

If an identity, which has the role, changes so that they no longer match assignment rule, your ID refresh task should change the assignment if you have “Refresh assigned, detected roles and promote additional entitlements” enabled. This should change the assignment of the role. “Provision assignments” must also be enabled, in order to actually trigger the entitlement change.

If you changed the role definition, then you need to run the Propagate Role Changes task, to propagate the changes.

Note that if your roles include entitlements from disconnected apps, then you’ll need to update cube refresh task to generate manual actions, so it can create manual work items for the appropriate entitlements.

1 Like

Thanks Ann for the response, yes its the business role and there is no change in the role configuration its only the change in the assignment criteria, as you said the refresh task should remove it but it is not happening. what else I could do to resolve this? role assignment shows source=“LCM” and even after updating this to Rule manually its still not removing it. not sure what other attribute should be updated to remove this sticky.

Hi Saravan, if role assignment source is “LCM” originally, that indicates it’s not automatically assigned. As you note, automatic assignment has source “Rule”. I don’t think changing the source manually after the fact will do much good, there’s likely more things in the ‘backend’ that interfere here.
If the role isn’t assigned automatically in the first place, the normal behaviour for auto-assigned roles can’t be trusted :slight_smile:

I’m not sure how / if you can manually try to change an LCM-assigned role into automatic/Rule after the fact.

thanks Ann, what could be done to make the role non-sticky during the LCM assignment?

If you have applied an assignment rule within the business role, and run the identity refresh task with “Refresh assigned, detected roles and promote additional entitlements”, this should detect and assign roles to matching identities (so role source will be rule). Note, if the identity already has the role through LCM, it will not change.
If the role is originally assigned through LCM, it needs to be removed through LCM.

Hi Ann,

we actually detected the same issue.

And we found the reason for this. The Role Propagation Task is changing the Source Value from Rule to LCM. I am going to create a new case for this. I was just wondering if there is a solution for this issue in this chat.


Hi Volker, that’s a cool find! Did you get any response on your case? Seems like unintended behaviour :slight_smile:

Have you tried this solution?