Role detection not in sync with role assignments

I doubt it’s a bug, as those entitlements are not present in the target app for the given Identity, it’s expected that those roles are not detected. The issue is with provisioning.

Ideally Identity Refresh task should have triggered the provisioning for missing entitlements, but in your case it’s not working.

Next steps,

1. Could you share the Identity Refresh task with all the options you’re selecting?
2. Staff Role 31 is marked as assigned as well as detected. Was it assigned along with other roles? Could you check ProvisioningTransaction for Staff Role 31 roles’ assignment and around the same time for other roles?

1. Check if the business role and corresponding IT roles are enabled, and if the business role assignment is valid and business role is getting assigned to users.
2. Run the refresh task with ‘Refresh assigned, detected roles and promote additional entitlements & provision entitlements’
3. Check if the entitlements in IT are provisioned to the user, if not provisioned check if there are any errors in the provisioning transactions or if any provisioning form work item is created.

Hi Zeel, Identity refresh task as below.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE TaskDefinition PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<TaskDefinition created="1719296265008" id="0af4025a904b116e81904e0b0b300454" modified="1762158974053" name="Identity roles provisioning and refresh" resultAction="Rename" significantModified="1762158974053" subType="task_item_type_identity" type="Identity">
  <Attributes>
    <Map>
      <entry key="TaskDefinition.runLengthAverage" value="71"/>
      <entry key="TaskDefinition.runLengthTotal" value="1220"/>
      <entry key="TaskDefinition.runs" value="17"/>
      <entry key="TaskSchedule.host"/>
      <entry key="checkHistory" value="false"/>
      <entry key="checkPolicies" value="false"/>
      <entry key="correlateEntitlements" value="true"/>
      <entry key="correlateScope" value="false"/>
      <entry key="deleteDormantGroups" value="false"/>
      <entry key="disableIdentityProcessingThreshold" value="false"/>
      <entry key="disableManagerLookup" value="false"/>
      <entry key="doManualActions" value="false"/>
      <entry key="enableManualAccountSelection" value="false"/>
      <entry key="enablePartitioning" value="false"/>
      <entry key="excludeInactive" value="false"/>
      <entry key="filter" value="name == &quot;*****&quot;"/>
      <entry key="filterNeedsRefresh" value="false"/>
      <entry key="forceWorkflow" value="false"/>
      <entry key="includeWindowModified" value="false"/>
      <entry key="keepInactiveViolations" value="false"/>
      <entry key="markDormantScopes" value="false"/>
      <entry key="maxExceptions" value="50"/>
      <entry key="noAutoCreateScopes" value="false"/>
      <entry key="noCheckPendingWorkflow" value="true"/>
      <entry key="noMaintenanceWindowRetry" value="false"/>
      <entry key="noResetNeedsRefresh" value="false"/>
      <entry key="noRoleDeprovisioning" value="false"/>
      <entry key="preRefreshRule" value="RemoveAttributeAssignment"/>
      <entry key="processTriggers" value="false"/>
      <entry key="promoteAttributes" value="false"/>
      <entry key="promoteManagedAttributes" value="false"/>
      <entry key="provision" value="true"/>
      <entry key="refreshCompositeApplications" value="false"/>
      <entry key="refreshGroups" value="false"/>
      <entry key="refreshIdentityEntitlements" value="false"/>
      <entry key="refreshManagerStatus" value="false"/>
      <entry key="refreshRoleMetadata" value="false"/>
      <entry key="refreshScorecard" value="false"/>
      <entry key="synchronizeAttributes" value="false"/>
      <entry key="taskCompletionEmailNotify" value="Failure"/>
      <entry key="taskCompletionEmailRecipients" value="***"/>
      <entry key="taskCompletionEmailTemplate" value="Task Status Notification"/>
    </Map>
  </Attributes>
  <Description>Provision assignment and refresh assigned, detected roles and promote additional entitlements</Description>
  <Parent>
    <Reference class="sailpoint.object.TaskDefinition" id="64494f568d821d9e818d82bdd91101d5" name="Identity Refresh"/>
  </Parent>
</TaskDefinition>

1. Staff Role 31 is marked as assigned as well as detected. Was it assigned along with other roles? Could you check ProvisioningTransaction for Staff Role 31 roles’ assignment and around the same time for other roles? → I am unable to find

2. Would like to share that this identity is a mover and previously Staff Role 55 and 65 were detection befor the mover process.

3. We also tried to disable the role, refreshed the identity but it didn’t drop the role also, no change.

IT Roles are not disabled

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.