I am trying to troubleshoot some data inconsistencies in our production environment. I think some process may need to run to update this information. If I understood how this information was managed, I think I could better understand why it is inconsistent and perhaps have a plan to fix it.
We have requestable Business Roles that require non-requestable IT Roles, that in turn connect to Entitlements, and the Entitlements are memberships in Microsoft Active Directory Security Groups.
When three matching items (assigned and detected roles, plus memberOf entitlement) appear in the UI on the “entitlements” tab for a given Identity, the expectation is that the Assigned Role’s name appears in the Allowed By column. While this is often the case, about half of the time (and increasingly?) this column is empty.
As I looked deeper, and into the database, in the spt_identity_entitlement table I see quite a disparity in the amount of data in the Attributes column for rows having name=“memberOf”.
The “good” case looks like below, sometimes having only one of these entry elements, but for 45% of the rows it is null.
<Attributes>
<Map>
<entry key="sourceAssignableRoles" value="Business_RoleName"/>
<entry key="sourceDetectedRoles" value="IT_RoleName"/>
</Map>
</Attributes>
And in the UI - Green rectangle is expected behavior, Red is where the attributes column is null.
