SailPoint (8.1 version) is removing a group from Active Directory. This group was not provisioned through RBAC, although we do have an RBAC role associated with it. The role assignment was based on rule-based criteria. However, the user obtained the role via an access request. We have been unable to determine how the group is being removed. Upon reviewing the audit logs, we found the following details. (refer to screen shot)
Hi @ganesh_kandel5050 - -is this triggered by the Identity refresh? The Accelerator Pack has a lot of components so you’d need to track down what is executing. Does the user have any events being triggered?
@ryan_toornburg Yes, this is triggered by the refresh task. There are no events triggered.
Check if it is related to attribute sync, which might have caused the removal of groups.
@tsandeepsTmob , we have not turned on attribute sync.
@ganesh_kandel5050 - I would look at your role assignments. My guess is that process is removing it based on some assignment criteria.
Ok..
This is part of the Accelerator Pack functionality. You’ll need to review the ‘Audit Action’ configuration to identify where it’s set up and perform a detailed analysis to understand the root cause.