We had suspected, this could be issue with SailPoint IIQ “SAP-Direct” connector integration. With open support case SailPoint support and engineering team took to look through the issue and provide obvious conclusion as they had fix addressed in higher version 8.4p2 and 8.5:
CONETN-4652:
The SAP Direct connector now supports adding roles to an account that does not have previously assigned SAP roles to it.
In Summary this is connector specific issue, and code might be handled at SAP-Direct connector related jar. For initial users aggregated from SAP side without any SAP entitlements (called as Roles on SAP side), SailPoint user/account level schema level attribute “RoleDetails” will be null always. On new access request from SailPoint, it will keep this value as null and will not update with new entitlements and it sends null data to SAP provisioning call. That is the reason, we do not see any error or different resposne from SAP side and SailPoint adds entitlement on identity.xml parameter “AttributeAssignment”. Then sailpoint tries to provision same thing on every identity refresh as snapshot of SAP aggregation always shows no entitlement/role assigned on SAP side. SailPoint SAP integration goes in loop with same process for these set of users.