Sticky entitlement

srimathiraman · November 10, 2021, 2:47pm

Hi,
As part of leavers, we assign an access profile to trigger the before provisioning rule. In Before provisioning rule for AD we are trying to remove all the AD entitlements.

Scenario1
User does not have entitlement that was granted as part of access request from IDN. Before provisioning works fine and it removes all entitlements.

Scenario2
User have entitlement that was granted as part of access request from IDN. Before provisioning works fine and it removes all entitlements. However after running the AD aggregation and identity refresh the entitlements assigned via the access request is getting assigned back.
I have seen this similar sticky entitlement issue in Sailpoint IdentityIQ.
https://community.sailpoint.com/t5/IdentityIQ-Wiki/What-s-sticky-AttributeAssignment-and-how-to-delete-it/ta-p/194560

Question: Do we have sticky entitlement or Access profile in IDN?

Thanks,
Srimathi

srimathiraman · November 15, 2021, 12:52pm

@colin_mckibben , Is Sticky entitlement issue there in IdentityNow as well?

chirag_patel · July 4, 2022, 5:14am

It is there if you use “Roles” in request centre but if you use “Applications” in request centre you would not see this issue.
Roles are refreshed as part of scheduled refresh but applications are not. Though you can only have one source under application and cannot combine access from different sources like roles.

tuliszet · July 4, 2022, 7:20am

I’m not quite sure that it happens only if “Roles” are used.
We have some very troublesome situations in our tenants related to those “Sticky Entitlements” for SCIM Sources.

Scenario:

Entitlement was granted as part of IdN Access Request. The request was made for requestable entitlement so not linked to the specific application.
Later in time, these permissions were deleted on the source side. After entitlement aggregation, it was also deleted from IdN.
From now on, IdN is constantly trying to reassign this deleted entitlement to users that have it before it was removed as permission on the source side.

This is very very troublesome behavior. Is there any way to control/disable this ‘automatic reassignment’?

chirag_patel · July 4, 2022, 10:19am

This should be looked by support. Deletion of entitlement has always been somewhat tricky considering entitlements come from 2 different aggregation dataset. There was change made in past to consider entitlement aggregation as source of truth even though they are coming from account aggregation.

udayputta · January 3, 2023, 11:25am

Hi Srimathi Raman,

Can I know if you have fixed this sticky entitlement issue. If yes can we know how did you resolve this. We are also facing similar problem in identity now and trying to get it resolved with SailPoint team.

Thank,
Uday

Topic		Replies	Views
AD Entitlement Provisioning to Inactive Identities ISC Discussion and Questions identity-security-cloud , provisioning , access-requests , entitlements	5	715	July 21, 2023
Remove the entitlements assigned via entitlements request, when a user gets disabled for SAP direct connector ISC Discussion and Questions rules , identity-security-cloud , provisioning , entitlements	4	791	July 28, 2023
How to remove entitlements granted via request on IDN ISC Discussion and Questions identity-security-cloud , access-requests , entitlements	16	1031	March 19, 2024
Identity Refresh in IdentityNow ISC Discussion and Questions identity-security-cloud , entitlements	5	71	September 12, 2024
Retaining the Previous entitlements IIQ Discussion and Questions identityiq , entitlements	7	771	November 28, 2023

Sticky entitlement

Related Topics