Role is removed from a user in ISC, but access profile and entitlement remains

haou1407 · August 12, 2025, 6:00am

Hello,

We encountered an issue in Identity Security Cloud (ISC) where a role was removed from a user, but the access profile and entitlement linked to that role still remain.

What could be the possible causes of this?
How can we troubleshoot it effectively?

Additional Information:

We have already tried manually processing the identity.
We also manually aggregated the source entitlements.
The issue still persists.
- Error message:
  - [“sailpoint.connector.ConnectorException: Message Status(500) Error response from connector: Unable to execute request to URI https://owprod.api.identitynow.com/beta/connectors/get-object?objectClass\\u003dApplication\\u0026objectNameOrId\\u003d2c9180867ce6705e017ced8ee8730ed5”\]
AP and entitlement remain, expecting for them to be removed together with the role

Looping @fayolaph for visibility.

Abhinov7 · August 12, 2025, 6:25am

Hi,

I think when tried to remove entitlement it got error on connector side, so couldn’t remove the entitlement. Access Profile will automatically detect if you have the entitlement.

First check the issue with connector. Also can you specify for which source you are getting issue?

-Abhinov

haou1407 · August 12, 2025, 6:44am

Hi Abhinov, thanks for the response.

I’ve done Test Connection on the source, and it was successful.
The source status is Healthy too. Source is Azure Active Directory.
It’s not happening for other roles though, only for this role.

Regards

Abhinov7 · August 12, 2025, 7:15am

Yes,

I think there is an error while remove azure entitlements. Can you check if all the required permissions are given to the azure service account.

-Abhinov

haou1407 · August 12, 2025, 7:49am

Would you be able to give me the steps to check on the Azure service account?
I don’t seem to see it under the Azure Active Directory configuration.

Thanks!

Abhinov7 · August 12, 2025, 8:16am

Please go through below document.

Add all required permissions. Also what is the entitlement type you are trying to remove.

-Abhinov

PhilRawlings1 · August 12, 2025, 1:52pm

Hi,
Sounds like a case for a quick recertification to get rid of the accessProfiles

vdivakar · August 12, 2025, 4:05pm

@haou1407 if this is happening only for this role, meaning, only for the Entitlements added in this role, then may be the service account does not have sufficient privileges to remove any users from this entitlement in the Azure, I would definitely check the permissions required for the service account in order to successfully remove users from the security groups.

haou1407 · August 13, 2025, 4:58am

Hi @Abhinov7 ,

This might be a sticky entitlement.
Is there any way to find anymore sticky entitlements?

Also, here are the permissions.

Thanks!

system · October 12, 2025, 4:59am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Role Entitlement Removal ISC Discussion and Questions identity-security-cloud , provisioning , roles , access-profiles , entitlements	16	2045	September 28, 2024
Roles and Entitlement dependencies ISC Discussion and Questions identity-security-cloud , entitlements	4	105	April 15, 2025
Will Removing an Access Profile from a Role Preserve access/entitlements in the source or automatically remove it? ISC Discussion and Questions identity-security-cloud , roles , access-profiles	3	79	July 14, 2025
Unable to remove entitlements through Manage Access page if those are part of Roles IIQ Discussion and Questions identityiq , roles	8	436	October 12, 2024
Role vs Entitlement Inconsistecy ISC Discussion and Questions identity-security-cloud , entitlements	7	153	November 2, 2024

Role is removed from a user in ISC, but access profile and entitlement remains

Related topics