Here are some observations that I noticed over the last few days
- Role/Group removals are technically not done in the application installed in your ServiceNow instance, mainly because that would require deleting records from the sys_user_has_role and sys_user_grmember tables. In general, deleting from tables outside of your application scope is not something that’s allowed for applications in the ServiceNow store. So the application on your SN instance is only used for add/update operations (the majority of them being add)
- As a workaround for this, it appears that the SDIM connector on the SailPoint side is removing access via direct table API calls into your ServiceNow instance, specifically the Table API DELETE operation. That’s why I was asking if you could make those calls using Postman to see if they work, because that’s what the SDIM connector is doing
I’ve had some email exchanges with the product management team, and I’m trying to get more clarification around what is supposed to be supported with this connector and why the documentation specifically mentions removal of entitlements is not supported.