Identity-Refresh-Driven Assignments

You can use the following options on an Identity Refresh task to generate provisioning requests for identities:

Refresh assigned, detected roles and promote additional entitlements – creates provisioning requests for IdentityIQ to add roles in Identity Cube.
Provision assignments – creates provisioning requests that apply to external applications.

The following table describes these options in more detail:

Option	Description
Refresh assigned, detected roles and promote additional entitlements	Runs the defined assignment rules for roles and examines role detection profiles to update the Assigned and Detected role lists for the identity. This option does NOT provision access in external system
	Generates provisioning requests to add entitlements required by the currently assigned roles, which can include: Entitlements for newly assigned roles Entitlements missing from previously assigned roles. If a role was previously assigned through an automatic assignment rule and the rule no longer returns true, provisioning requests are generated to remove the entitlements that the role requires. If another assigned role requires those entitlements, they are not removed.

Option

Description

Refresh assigned, detected roles and promote additional entitlements

Runs the defined assignment rules for roles and examines role detection profiles to update the Assigned and Detected role lists for the identity.

This option does NOT provision access in external system

Generates provisioning requests to add entitlements required by the currently assigned roles, which can include:

Entitlements for newly assigned roles
Entitlements missing from previously assigned roles.

If a role was previously assigned through an automatic assignment rule and the rule no longer returns true, provisioning requests are generated to remove the entitlements that the role requires. If another assigned role requires those entitlements, they are not removed.

Note: By default, the entitlements associated with a role are deprovisioned when the role is removed from an identity. The Disable deprovisioning of deassigned roles option overrides that default and leaves the entitlements intact for the identity while the role is removed.