Role Expansion Behavior for deleted applications from User Profile

deepakkumar511 · October 4, 2023, 10:55am

Hi All,

I have a situation where SailPoint is trying to remove entitlements for deleted application. Is there a way to stop it?

Below is complete scenario:-

After 60 days of termination, we delete AD and Okta applications from Users profile and after 180 days we remove roles (which contains Ad and Okta entitlements) from users profile with scheduled events.
When role removal action takes place, it tries to remove AD and Okta entitlement which fails as applications are already deleted after 60 days.

My expectation is SailPoint should filter entitlements on role expansion if application does not exist with user profile. But it is not happening. Isn’t it SailPoint OOTB behavior.

Please respond

dheerajk27 · October 4, 2023, 11:44am

Hi @deepakkumar511 ,

I believe if there is no Link and Entitlement is attached with Identity then Sailpoint should not create Deprovisioning for already removed link.

I would recommend to raise a support case for this.

However i would wait for what others have to say on this.

aishwaryagoswami · October 4, 2023, 12:48pm

Hello Deepak, Welcome to the SailPoint Developer Community!
Have you made sure that the links to the application as well as entitlement assignment to the apps have all been removed on the identity object after the removal of the user account on Ad and Okta? Ideally this should be filtered out if there is no link to the application.

deepakkumar511 · October 5, 2023, 3:09pm

Yes, I don’t see any okta/AD entitlement reference in identity xml.

aishwaryagoswami · October 5, 2023, 3:21pm

Then as Dheeraj mentioned, i think you can raise a support ticket.

deepakkumar511 · October 5, 2023, 3:30pm

Hi Just validated an user xml from production with the help of ops guy and I see entitlement references under

<Exceptions>
  <EntitlementGroup>
</Exceptions>

tag.
Is there a way to clean these at the time of account deletion?

Thanks in advance

dheerajk27 · October 6, 2023, 2:46am

HI @Deepak,

I guess you can create a custom task and do below :

Get list of all the assigned roles for the user.
Run a loop per role and extract the Role Profile.
Check the Role Profile application Link exist to user then ok, else check if Identity Exception has that profile Name. If Yes remove it from the Identity Object and save it.
Schedue the task to run daily so that any such identities would be cleaned-up

system · December 5, 2023, 2:47am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Entitlements removed from an Access Profile not removed from identities that have the Access Profile ISC Discussion and Questions identity-security-cloud , access-profiles	7	404	March 8, 2024
Right-Sizing entitlement membership after creating a role ISC Discussion and Questions identity-security-cloud , roles , entitlements	6	189	April 26, 2024
Getting Errors in the entitlement tab When users access was removed from Active directory IIQ Discussion and Questions identityiq	4	554	October 15, 2023
Okta Integration - Remove roles ISC Discussion and Questions	4	1389	July 19, 2023
Removing all Access at once for a specific application ISC Discussion and Questions identity-security-cloud , provisioning , roles , access-requests , entitlements	13	807	August 22, 2023

Role Expansion Behavior for deleted applications from User Profile

Related Topics