Sequential Provisioning Discussion

Hi all,

We have configured the role criteria as suggested in this discussion to achieve the sequential provisioning: Birthright Provisioning Scenario where it should be applied based on sequence: Role A → Role B → Role C The configuration is working however sometimes, Role C is not applied, and can only be attached to the identity after the next identity refresh task. We would like to request input on how to ensure all roles will be applied in a single aggregation.

We have raised customer support ticket and few possibilities are suggested by the support team:

  1. Workflow
  2. Rule After Provisioning
  3. Event Triggers

The current way will be triggering identity refresh task via API after the provisioning is done. Appreciate any input on this and which way should be the most preferable.

Thank you.

What criteria are you using on Role C that relies on prior provisioning to occur?

If the criteria is just looking for if an account was created, this should occur immediately and can be handled via a transform. If you are looking for a particular attribute that takes time to populate, this may not be read until the next account aggregation.

Hi Edward,

Thank you for the response. Role B depends on provision of account on source A (fulfil Role A), and Role C depends on provision of account on source B (fulfil Role B).

So does this enter into the second scenario you were saying?

Hi @sjoyee

As per my knowledge, When an Identity is Refreshed,

Role will be assigned → Account Provisioned → Single Account Aggregation → Refresh (Again)

So the process repeats.

You mentioned, Role C is not assigned sometimes but not every time rite. Maybe 2nd account was not created successfully or not yet reflected in IDN ?

I would like to know what conditions you used in Role assignment, is it entitlement from source or some attribute in a source ?

Let us try to fix the issue in RBAC, if not then we can look on Workflows. BTW there is no After Provisioning Rule in IDN.


Hi Krishna,

Yes, we are using account attribute as Role C criteria. From what I understand from your response, is it correct to say that any identity attribute update will trigger identity refresh.

If yes, then we can include an identity attribute as a condition in Role C criteria.

Thank you.

Ya we can replicate the issue, before that please confirm on below queries.

  1. Role B is assigning after Role A, for all the times ?
  2. Role C is not getting assigned after Role B assigned, sometime or all the times ?
  3. What are the 3 connectors you are using in order ?

Sorry for the late update. After including identity attribute as a condition in Role C criteria, the sequential provisioning is working. Thank you all for the assistance!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.