HI All
Using SS Before provisoning rule for delete operation , updating the attribute values to null, like jobtitle = null, the account got deleted . But after aggregating, the account got created in the target. What might be the issue. tried few identies, all ideneties get created after aggreagting.What might be the issue for recreation. I need to delete the account if its LCS changed to Inactive. How to resolve this
@kani1 ,
Need a bit more detail on the issue you are facing, Could you please explain when you update jobtitle=null in identity whether it is getting deleted in target or just in IdentityNow Source. looks like in target application account is not getting deleted and after aggregation your link comes back. what is the correlation you have used for Source SS?
Yes , its getting deleted in ISC but it’s not getting removed in the target system. Correlation used is Email
Hi @kani1,
Have you checked any Role/Access Profile you are using to assign access which is overriding this behavior?
Thanks
@kani1 Can you check with one of the user for which you did not provide any access (entitlement) from SailPoint request center? what I am assuming is, may be it is happening because of sticky entitlement as I have mentioned in your other post.
If not, please check if the account is getting deleted in the target end before running the aggregation. What might happen is may be account is getting delete from ISC but not from target and in next aggregation it is bringing it back.
Hi ,
as i mentioned earlier its a sticky entitlement, how to delete an account from the target as well. i cant delete every sticky entitlemnt from the acccont manually everytime. so i have this condition to update the attribtes , job_/title and entitlemetns as null when Lcs changes to inactive and no other creation of the acconts mst be triggered after aggreagation. Can someone gide me on that
@kani1 At this moment seems like Access Profile is the good option.
But if you want to go with entitlement only then you may use of before provisioning rule to remove these entitlement or even explore workflows.
You definitely need to let IDN know that the previously requested entitlements (from request center) are removed from SailPoint. Otherwise when you aggregate the account SailPoint observes that previously request entitlement is not intact and since you did not remove it from SailPoint it will retry in every identity refresh as entitlements are sticky in nature.
Hi @kani1,
I found this post for removing those sticky entitlements. I think workflow will be your best option.
There are steps on how to use workflows to remove those entitlements. Please follow that let us know how it goes!
Thanks!
Hi @kani1 ,
I agree to @ashutosh08 , please check if the access to source is being assigned through automated assignment either through lifecycleState or Access Profile assignment?
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.