I have a situation where SailPoint is trying to remove entitlements for deleted application. Is there a way to stop it?
Below is complete scenario:-
After 60 days of termination, we delete AD and Okta applications from Users profile and after 180 days we remove roles (which contains Ad and Okta entitlements) from users profile with scheduled events.
When role removal action takes place, it tries to remove AD and Okta entitlement which fails as applications are already deleted after 60 days.
My expectation is SailPoint should filter entitlements on role expansion if application does not exist with user profile. But it is not happening. Isn’t it SailPoint OOTB behavior.
Hello Deepak, Welcome to the SailPoint Developer Community!
Have you made sure that the links to the application as well as entitlement assignment to the apps have all been removed on the identity object after the removal of the user account on Ad and Okta? Ideally this should be filtered out if there is no link to the application.
I guess you can create a custom task and do below :
Get list of all the assigned roles for the user.
Run a loop per role and extract the Role Profile.
Check the Role Profile application Link exist to user then ok, else check if Identity Exception has that profile Name. If Yes remove it from the Identity Object and save it.
Schedue the task to run daily so that any such identities would be cleaned-up