I have a role in ISC that has little over 300 criteria groups of assignment. The role is enabled, and I have at least one identity to whom the role should be assigned using the first criteria group in the role. Nevertheless, a day has past and it has not been assigned yet. I have “Applied Changes” in the roles section, processed the identity that should get the role, and still nothing.
What else can I try? Is there a limit of assignment criteria groups a role should have? I want to avoid creating multiple roles with the same function because of criteria limits.
Is it possible to create a temporary role with the single criteria you want to test and check. This proves your criteria is correct/incorrect.
If this is correct, the problem will be the complexity of the role, in which case you can move the logic( whatever you can) into identity attribute via transforms and simplify Role criteria.
@Pol1 Just wanted to check if you have validated the criteria logic (AND vs OR), as that can sometimes impact assignment.
Additionally, with a large number of criteria groups, there might be delays or evaluation limitations, so it might be worth testing with a smaller subset to isolate the issue.
Thank you for your response! Yes, the logic is correct. I have tried deleting one of the many criteria groups and saved it, and then the role worked correctly. The problem is I cant do this for the thousands of roles in the system. I have noticed there are also some roles with only one criteria group which only after modifying some criteria group and saving it it works as expected. Can this be bypassed? Or why is this happening?
If it helps, these are all roles I have uploaded using the VSCode Extension.
@Pol1 you can try using dynamic roles instead of static to reduce the number of roles using dimension attribute which can control the entitlement assignment.
In your use case there is no limit to any criteria it can be that the criteria is wrong and not satisfying the users .so first try to run a search query with similar criteria and see if it returns any user