Sunset Role deprovisioning on last day

IdentityIQ (IIQ) IIQ Discussion and Questions
1

On the last day of access, which process or task actually triggers the deprovisioning of a role with sunset date for a user?

During this deprovisioning, is an access request created, or does it happen automatically without a request?
Also, where in the system can we track or audit this role removal change?

image

2

Access Request wont get created in this deprovisioning.

OOTB Audit is available for Role Sunrise and Role Sunset.

image
image1110×504 15.5 KB

3

When you place a request in Manage Access with Sunset dates then immediately a task gets created to remove same access from user once it gets provisioned.

You can check in audit.

4

OOTB the Scheduled Assignment workflow would take care of this

You can customize it to meet your requirements

More info on sunrise and sunset dates here

https://community.sailpoint.com/t5/Other-Documents/Using-Sunrise-and-Sunset-Dates-in-Roles-for-Temporary-Access/ta-p/161746#toc-hId--193676984

2 Likes
5

Hello @Narahari I did the test, and here’s what I observed:

  1. On the last day of access, I don’t see any tasks created after removal, but the roles are removed. Please check the screenshot below.

Before

image
image1828×807 55.5 KB

After

Screenshot 2026-02-03 221936
Screenshot 2026-02-03 2219361848×623 45.3 KB

  1. During this deprovisioning, it happens automatically without a request.
  2. The OOTB Audit for role sunrise/sunset is enabled by default. To check this, go to Advanced Analytics → Search Type: Audit → Select Action: Role Removed. Please check the screenshot below for the results.
    image
    image593×462 8.1 KB

Hope this helps.
Raju :expert_ambassador:

1 Like
6

@Narahari OOTB Scheduled Assignment doesn’t create new access request while doing sunset. Instead it calls Identity library for necessary compilation and validation and directly calls the Provision With Retries workflow to do the deprovisioning.

If you want to generate more specific audits, or create access request, you might want to modify this workflow by passing the plan to your LCM workflow. This should create an access request for you.

Note: Help the community by marking successful fixes as solutions. Feel free to react(:heart:, :+1:, etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.

7

Hello @Narahari, just following up to see if the issue is resolved or if you still need any help.

8

Hi @Narahari ,

There are two tasks which trigger the sunset and sunrise. One is the Perform Matians task and the second is Check Sunset Requests. The sunset and sunrise mechanism works on a and forget principle. To invoke these tasks, you should run these tasks.

  1. Perform Matians task, (Sunraise)

  2. Check Sunset Requests.

3rd question answer: You can check two places. One is the debug page, filtered with Request Object based on the days result expiration threshold. It will show when it is triggered and fired at sunrise and sunset. The second place is the Administrator Console > Provisioning Transactions.

I hope it will help!.

Thansk,

PVR.