Hi Team,
We have a custom role type that we created cloning OOTB IT role type with manual assignment and no automatic detection unless assigned options enabled.
We have created a bundle if custom role type with logiplex AD group and we are seeing its not getting detected once assigned.
However when the bundle is of master AD application then its getting detected properly.
When we see the Identity Entitlement for the logiplex AD groups then we see “Granted by role” is showing as false…
We have validated entitlements are in correct case in the Bundle and tried running refresh on identity with role detect option checked but its not getting detected. Issue is happening when role is having logiplex AD groups.
Any leads on this issue will be highly appreciated. Thanks
Hi @amajumdar1 it’s interesting, TBH not sure if the following would help or not but just thinking loudly with you…
1. Role Detection Configuration
- Ensure the custom role type is properly configured for role detection. Double-check the role detection rules for the Logiplex AD group in the role type logic. The custom role might need to explicitly reference group memberships.
- If “no automatic detection unless assigned” is enabled, make sure the manual assignment logic is correctly mapping the AD group entitlement to the role.
2. Entitlement Mapping & Case Sensitivity
- Confirm that the Logiplex AD group name in the entitlement bundle matches exactly (case-sensitive) with the AD group name in the directory.
- Ensure entitlement expression logic (like
entitlementExpr) is correctly resolving the group name.
3. Manual Assignment and Role Granting
- Verify that when you manually assign the Logiplex AD group to an identity, it’s properly reflected in the identity’s entitlements. Check if the “Granted by role” flag is being correctly set to
truewhen the role is granted through the AD group.
4. Role Detection Logic
- Review the role detection process (such as
DetectRoleJobor equivalent job) and ensure the custom role type is correctly processing the Logiplex AD group membership. - Check job logs for errors related to role detection.
5. Debugging and Logs
- Enable detailed logs for role detection and entitlement processing. Look for issues in how the Logiplex AD groups are handled in the entitlement assignment and role detection processes.
6. Bundle Configuration
- Review the bundle configuration for the custom role type, ensuring the Logiplex AD groups are correctly mapped to the entitlements.
If the issue persists, gather logs and configurations, and escalate to SailPoint support for further investigation, and you can also share it with us for help in-parallel.
Regards,
Muhammad
HI We tried this it seems if AD is configured with multiple domains and we have logiplex application carved out from Master AD application then those roles are not getting detected. This is what we have been observing.
To overcome this issue, we tried to run a Rule for detect the assigned role forcefully but still the roles are not getting detected. Does Sailpoint detects role internally with rule is it not possible to detect the roles?
Regards
Aditi
Hi @amajumdar this is indicates a potential problem with how roles and entitlements are mapped across multiple domains in SailPoint. When using applications carved out from a master, SailPoint might struggle with role detection due to:
- Domain Mismatches: Entitlements linked to the wrong domain or application.
- Role Correlation Logic: SailPoint may not detect roles for carved-out applications using the default detection logic
Regarding your question, Does SailPoint detect roles internally, or is it not possible to detect roles using a rule?
- SailPoint uses a combination of out-of-the-box role detection logic and custom rules to detect roles.
- While internal detection is automatic, custom rules can override or supplement this logic.
- If roles are still not detected despite using a custom rule, it suggests:
- The rule logic might not fully align with your setup.
- Other configuration or environmental factors may be affecting detection.