Version 8.3
Why does Sailpoint not allow a user to remove an entitlement if it is not part of an assigned role but is on a detected role?
Also, if there is no way around being able to remove an entitlement from a user and we have to remove it from the role so they can, how long does it take Sailpoint to update before they can submit a request?
Thank you!
Usually, it is recommended to have assignment criteria or IdentitySelector rule to avoid accidental provisioning/deprovisioning. Have you explored that option?
Is there any particular error you are getting when you try to remove the entitlement? Generaly IIQ should not limit you in removal of managed attributes unless you limit it on the quicklink definition level.
I am also facing similar issue. Any help is appreciated.
Hello @Unique, what is the issue you are facing exactly and what is error you are getting?
@Vb_Bellamkonda When I delete entitlement from entitlement catalogue, the entitlement in roles is broken. All the identities with that role are unable to go through role propagation. Basically, it is not reflecting throughout role and its identities.
I am seeing the same behavior. Basically I am unable to remove an entitlement that’s is contained in detected role via Manager User Access. Only the IT role shows up under the remove access tab. So what is the guidance to remove only lets say 1 out of the 6 entitlements and not the entire IT role and all 6 of its entitlements?
Note this role is detected and not assigned. Application only wants to remove one of the entitlements and keep the rest for that particular user. This means its not role update.
Hello Shawn,
I am also stuck at exactly this requirement where a user needs to submit an access request to remove some of the entitlements part of the detected roles but not able to do so. Were you able to get any help on this regards ?
Thanks,
Sai Kiran.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.