Role detection not in sync with role assignments

Which IIQ version are you inquiring about?

8.4p3

Share all details about your problem, including any error messages you may have received.

Hi all,

Below is the extracted portion for an identity with the correct role assignments but the role detection is not reflecting the same. As seen in code below, only Staff Role 31 is seen in both Role Assignment and Role Detection. Staff role 28, 55 and 65 are missing from Role Detection.

This is causing some entitlements tied to the roles to not be provisioned. We have tried to execute identity refresh with role provisioning but does not seem to work.

      <entry key="roleAssignments">
        <value>
          <List>
            <RoleAssignment assignmentId="b498b257f3f94e67ba733dcde8137f4b" date="1719580987081" roleId="64494f358e5c1067818e5c20e0550055" roleName="**** Staff Birthright" source="Rule">
              <RoleTarget applicationId="64494f4f8e0c1f5c818e0cafd4040061" applicationName="SP" nativeIdentity="*****"/>
            </RoleAssignment>
            <RoleAssignment assignmentId="d909cc1a04514701a75dfcde05c49bfe" date="1728011346899" roleId="64494f568d821f0b818d82bf2eb40047" roleName="SP Birthright" source="Rule">
              <RoleTarget applicationId="64494f568d821d9e818d82be16f4032d" applicationName="App Name" displayName="User Email" nativeIdentity="****1b59" roleName="SP Login"/>
            </RoleAssignment>
            <RoleAssignment assignmentId="189a623252e64c7db5fe5c3e28922e0a" date="1761424030195" roleId="0af4014b9a1c167b819a1cd6eb65039f" roleName="Staff Birthrights 65" source="Rule">
              <RoleTarget applicationId="64494f568d821d9e818d82be16f4032d" applicationName="App Name" displayName="User Email" nativeIdentity="****1b59" roleName="Staff Role 65"/>
            </RoleAssignment>
            <RoleAssignment assignmentId="6b8d903e3c224e29ab2d829049590654" date="1761424030195" roleId="0af4014b9a1c167b819a1cd6e8a20368" roleName="Staff Birthrights 55" source="Rule">
              <RoleTarget applicationId="64494f568d821d9e818d82be16f4032d" applicationName="App Name" displayName="User Email" nativeIdentity="****1b59" roleName="Staff Role 55"/>
            </RoleAssignment>
            <RoleAssignment assignmentId="0692772b60b84f9dadb552711052002c" date="1762115028713" roleId="0af4014b9a1c167b819a1cd6c2d40109" roleName="Staff Birthrights 28" source="Rule">
              <RoleTarget applicationId="64494f5d90231382819039bdffb32213" applicationName="App NAme" displayName="User Email" nativeIdentity="uid=User Email,ou=user,dc=****,dc=com" roleName="Staff Role 28"/>
            </RoleAssignment>
            <RoleAssignment assignmentId="bd88805c56444d8f8d874062a4398ec7" date="1762115028715" roleId="0af4014b9a1c167b819a1cd6e20f02e6" roleName="Staff Birthrights 31" source="Rule">
              <RoleTarget applicationId="64494f568d821d9e818d82be16f4032d" applicationName="App Name" displayName="User Email" nativeIdentity="****1b59" roleName="Staff Role 31"/>
            </RoleAssignment>
          </List>
        </value>
      </entry>
      <entry key="roleDetections">
        <value>
          <List>
            <RoleDetection assignmentIds="b498b257f3f94e67ba733dcde8137f4b" date="1720101169198" roleId="64494f358e5c1067818e5c20e03e0054" roleName="View Identity Request">
              <RoleTarget applicationId="64494f4f8e0c1f5c818e0cafd4040061" applicationName="SP" nativeIdentity="*****">
                <AccountItem name="capabilities.name" value="ViewIdentityRequest"/>
              </RoleTarget>
            </RoleDetection>
            <RoleDetection assignmentIds="b498b257f3f94e67ba733dcde8137f4b" date="1759007366323" roleId="0af40493998c14e081998c751bae0044" roleName="View Group Members">
              <RoleTarget applicationId="64494f4f8e0c1f5c818e0cafd4040061" applicationName="SP" nativeIdentity="*****">
                <AccountItem name="capabilities.name" value="ViewGroupMembers"/>
              </RoleTarget>
            </RoleDetection>
            <RoleDetection assignmentIds="bd88805c56444d8f8d874062a4398ec7" date="1762139920278" roleId="0af4014b9a1c167b819a1cd6e1f902e4" roleName="Staff Role 31">
              <RoleTarget applicationId="64494f568d821d9e818d82be16f4032d" applicationName="App Name" displayName="User Email" nativeIdentity="****1b59">
                <AccountItem name="groups" value="****795b"/>
              </RoleTarget>
            </RoleDetection>
          </List>
        </value>
      </entry>      

Any help is appreciated!

Try checking below for any failure while provisioning:

Navigate to Administrative Console > Provisioning.

Filter by username

Search for the transactions.

Thanks

There are no errors when re-provisioning. Is there any refresh task we can run with certain settings to sync the roles assigned and roles detected?

Run the Refresh task with below highlighted option:

image1831×839 35.7 KB

we tried but it is still not in sync, should we disable it, execute once then execute with it checked?

Is this a business role that is not getting assigned or IT role ?

All the roles that the roledetection not detecting are IT roles.

Try disabling and then re-enabling and see if it works or not.

Will it drop any existing accounts/entitlements?

It is assigned to business role right. So, it will get added back even if it removes. Make sure don’t disable or remove business role.

Yes the IT roles are assigned to a business role. Make sure don’t disable or remove business role. → how do I ensure this?

tried to rerun no difference but noticed it will keep triggering a workflow and will reflect this in the identity

<entry key="pendingRefreshWorkflow" value="Refresh identity **** - 3"/>

is this causing the issue?

execute perform maintenance task once and check.

It is still showing up in the identity, any other task to run?

Is pendjngRefreshWorkflow option still present ?

If it is still there, Navigate to Debug page and search for Request object. In that list see if you workflow is showing up or not.

yes, i checked the workflowcase from debug page I see the expansion items I do see the role and corresponding value to be provisioned.

Hey @shijingg,
My 2 cents on this.

When IIQ aggregates user information and brings in entitlements, and those entitlements form a role, only then will that role be marked as detected. Otherwise, it will only stay as assigned.

The roles not showing up as detected might not be the issue preventing the entitlements from being provisioned. It might be the other way around: the entitlements are not provisioned, and hence the detected roles are not added.

Quick check:

1. Check if the user who should have roles detected has those entitlements on their accounts.
2. Also, check if, with aggregation, those entitlements have flowed into SailPoint.

Hi Zeel,

1. Check if the user who should have roles detected has those entitlements on their accounts. → Nope the entitlements don’t exist in the account
2. Also, check if, with aggregation, those entitlements have flowed into SailPoint. → Nope we did an aggregation again, no difference.

Still seeing the assigned roles and missing the detected roles. Is this a bug?

Hi @shijingg,

Please check if the given IT roles are disabled and let me know.