LCM Managed Role assignment is not getting removed when the Role assignment criteria is changed/not matches, how to make this Role assignment non-sticky , even though I changed the source to Rule it does not get removed after the refresh. please advise.
Hi Saravanan, can you confirm that youâre looking at business roles, which are assigned via automatic assignment Rules defined in the role?
If an identity, which has the role, changes so that they no longer match assignment rule, your ID refresh task should change the assignment if you have âRefresh assigned, detected roles and promote additional entitlementsâ enabled. This should change the assignment of the role. âProvision assignmentsâ must also be enabled, in order to actually trigger the entitlement change.
If you changed the role definition, then you need to run the Propagate Role Changes task, to propagate the changes.
Note that if your roles include entitlements from disconnected apps, then youâll need to update cube refresh task to generate manual actions, so it can create manual work items for the appropriate entitlements.
1 Like
Thanks Ann for the response, yes its the business role and there is no change in the role configuration its only the change in the assignment criteria, as you said the refresh task should remove it but it is not happening. what else I could do to resolve this? role assignment shows source=âLCMâ and even after updating this to Rule manually its still not removing it. not sure what other attribute should be updated to remove this sticky.
Hi Saravan, if role assignment source is âLCMâ originally, that indicates itâs not automatically assigned. As you note, automatic assignment has source âRuleâ. I donât think changing the source manually after the fact will do much good, thereâs likely more things in the âbackendâ that interfere here.
If the role isnât assigned automatically in the first place, the normal behaviour for auto-assigned roles canât be trusted 
Iâm not sure how / if you can manually try to change an LCM-assigned role into automatic/Rule after the fact.
thanks Ann, what could be done to make the role non-sticky during the LCM assignment?
If you have applied an assignment rule within the business role, and run the identity refresh task with âRefresh assigned, detected roles and promote additional entitlementsâ, this should detect and assign roles to matching identities (so role source will be rule). Note, if the identity already has the role through LCM, it will not change.
If the role is originally assigned through LCM, it needs to be removed through LCM.
Hi Ann,
we actually detected the same issue.
And we found the reason for this. The Role Propagation Task is changing the Source Value from Rule to LCM. I am going to create a new case for this. I was just wondering if there is a solution for this issue in this chat.
Volker
Hi Volker, thatâs a cool find! Did you get any response on your case? Seems like unintended behaviour