Hi All,
In this document, I would like to tell about a use case that deals with groups with roles in SailPoint IdentityIQ. I have a group called secIAM-test1. And this group has been used in a role called IAM: TestRole.
Now, the user is requested to remove the group from manage use access, submitted request. As usual, it went for approvals and got approved as well. After provisioning is completed, if you see the user, the user still has the group. It didn’t remove from identity. Why? Let me explain the debugging and issue below.
For debugging step by step, check the access request first.
If you see the access request in which there are filtered items, in that the group was filtered to do provisioning.
To know why this is being filtrated, check the access request from the debug page to get more information about it. And look for Filtered option.
This is filtering out because there is some dependency for this group. It is because of the role that contains the group, and the role was already assigned to the user. And the user is trying to remove that which is conflict so that SailPoint will filter such kinds of requests and won’t do provisioning, which means don’t remove from the user.
As long as the user has the role, SailPoint won’t remove the group if you try multiple times. So that it is very important that the groups whatever you are putting or using in the role is should be used wisely. And those groups can’t be removed from the user. All we can do is remove the role from the identity (but there might be a chance to lose the other group’s membership if other groups are in the role). So be careful while creating roles and what are the groups we have to add to them.
Even it won’t give any alert that you can’t remove the group since it is part of another role. So, you have to do cusomization for that again. While requesting the group for adding, it will give an alert that the group is already assigned to the user. But in remove it is not.