Role Assignment Question

Question about role assignment for a specific situation I am encountering.

We have a Joiner Workflow that looks for roles that should be assigned to an identity and builds a provisioning plan to provision these roles via an IIQ AccountRequest. These roles show as being assigned by source LCM and the assigner as RequestHandler. This gives high visibility into what roles were assigned to provision the birthright accounts by seeing what was assigned in the IdentityRequest that is generated.

Let’s say the assignment logic on one of the roles changes. The expectation would be for the refresh task (with appropriate options set) would now remove that role because the identity no longer meets the auto assignment criteria. However, it seems that because this role was assigned via LCM and has an assigner (RequestHandler), it’s treating the role like something that was manually assigned and will not automatically pull the role off of the identity.

I understand that this is probably expected behavior so roles can be requested and stay vs automatically assigned and deassigned. I guess my main question is: What attribute needs to be removed from the RoleAssignment to ensure roles that are assigned through these workflows can later on be automatically removed via the refresh task? Should the source be “Rule” rather than “LCM”? Or should there not be an “assigner” present?

I turned on logging on a few different classes and didn’t see anything too obvious to point out what would keep these roles that appear as “manually assigned”.

The source of “Rule” is the correct answer.

However, if your users match the assignment logic anyway, I would think that you may as well use auto-assignment instead of a Joiner.

1 Like

Yeah - I guess I thought it would be nice to see the joiner lifecycle event and what roles were assigned. Since our auth source is SAP HCM, everything is action code based, so there is actually a generic workflow that calculates the roles and assigns them and then I built out a framework that can call certain rules based on the numerous different action codes that can be passed down to us.

I will do some testing on changing the source to “Rule”. I think a simple plan argument will do the trick and then some kind of clean up task for all the people that are being affected by this today.

1 Like

am facing the same issue, refresh or the aggregation is not removing the role assignment even though the assignment rule is returning false, please advise.

Note: I changed the source to Rule (debug) and ran aggregation and refresh but no luck.

I believe I had to change the source to Rule and also set the assigner field to null to make it work. Additionality, I also did this on all the IdentityEntitlement objects associated with the RoleAssignment. Might not be necessary but wanted to be safe.