Role auto-assignment issue when using Multiple Accounts Option

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

Hi everyone,

I’m seeing an issue with role auto-assignment in SailPoint ISC when using the Multiple Accounts Option.

Setup

  • Roles are automatically assigned using Assignment Criteria (identity conditions).

  • Some users have two accounts in the same source.

  • Access is granted via Access Profiles.

  • When multiple accounts exist, access should be granted only to the account where A_CD = 100.

Issue

  • There are 4 users who meet all identity and account conditions.

  • For 2 users, the role is assigned correctly and the correct account is selected.

  • For the other 2 users, the role is not auto-assigned, even though the conditions are the same.

Observation

  • If one of the two accounts is deleted for the affected users, the role is immediately assigned.

  • This makes it look like the issue is related to account selection in the Multiple Accounts Option, not the identity criteria.

Question

  • Is this a known limitation or bug?

  • Is there a recommended way to handle role assignment when users have multiple accounts in the same source?

Thanks in advance!

2

@sxxnex this is known feature the role does not support multiple account feature. If you want to manage multiple accounts you can use access profiles and configure multiple account option as mentioned below. Or create separate sources and filter the accounts

4

I understand that the Multiple Accounts Option is supported at the Access Profile level.
That is how it is configured in our case.

However, we want to automatically assign access using Role assignment criteria, so our design is:

  • Create a Role with identity-based criteria groups

  • Include only one Access Profile in the role

  • Configure the Multiple Accounts Option on that Access Profile to select the correct account

In practice, this works correctly for some users who have multiple accounts — access is granted to the account that matches the Access Profile conditions.

However, for other users with the same setup and conditions, the role is not auto-assigned at all.
Because the behavior is inconsistent, we wanted to confirm whether this is an expected limitation or a known issue when combining Role auto-assignment with Multiple Accounts Option on Access Profiles.

1 Like
5

Hi @sxxnex ,

This shouldn’t be the expected behaviour as this is working fine for other two users. As per the documentation, manual task would have been created if no account or more than one account matches the criteria. If there is manual task created, then it’s the issue with the account criteria in AP. Can you check once?

If not, try doing manual “process identity“ for those two identities and see it its working

image

6

All four accounts have identical account attributes,
except for unique values such as name and employee number.

These unique values are not used in:

  • Role assignment criteria

  • Access Profile multiple account selection conditions

In other words, the role criteria and account selection conditions are exactly the same for all four accounts.

Despite this:

  • Two accounts receive the role and access correctly

  • The other two accounts do not receive the role

No manual task is created, and running manual “Process Identity” for the affected identities does not change the behavior.

Since all conditions are identical and manual processing does not resolve the issue,
we are trying to understand why the behavior is inconsistent across accounts.