Propagate Role Changes

Note: IdentityIQ does not propagate role changes for entitlements on applications that do not support direct provisioning and would require the creation of multiple work items. If required, a business process can be enabled in the System Configuration settings to handle that situation.

Note: Entitlements that were detected are not removed from an identity during role propagation, unless they are also part of an assignment.. Only those entitlements that were assigned, individually or as part of a role assignment, are removed during propagation.

The Propagate Role Changes task updates any identities that have assigned roles whose associated entitlements have changed. This is the only task that can propagate the removal of entitlements from an assigned role.

Option

Description

Number of minutes task should run

The number of minutes for the task to run.

The task stops only after finishing current event processing.

Check active policies

Scan for active policies and apply those to the identities included in the task.

Keep previous violations

Mark old policies as inactive but do not delete them.

A comma separated list of specific policy names. When set, this overrides the default policies.

Scan for and apply only those policies included in this list to the identities included in this task.

Enable Partition

Allow the task to split into partitions and run across multiple threads and hosts, if available.

Maximum failures before event pruning

This parameter sets the number of times a role change event can fail to progress before it is pruned. A failure to progress is defined as zero successes on the event during the task. Events that are blocked by other pending events are not counted as failing to progress. If this value is left blank, the event will never be pruned until it has been fully processed.

Maximum failure threshold

This parameter limits how many identities can fail to be provisioned by a single role change event, expressed as a percentage of the total number of identities affected by the event. All partitions for a role change event are allowed to run to completion, and once finished, the transition request computes the actual failure percentage and compares it to the maximum failure threshold. If the percentage is exceeded, the propagation terminates. Note that this does not mean that a single role change event will stop as soon as it hits the maximum; it means that if an event exceeds the maximum, no more subsequent events will be processed.

Once you have completed customizing your task options, click Save for later use or Save and Execute to save the task and run it immediately.

After executing the task, the Task Result page displays the following output:

  • Number of Identity Updates – displays the total number of Identity updates propagated. It is different than number of Identities updated, since multiple role events include some common identities and are counted multiple times, for each role event.

  • Number of Events Processed – displays the total number of role events propagated. This is not the number of role modifications but the role change events in the queue. As single role modification results in multiple role change events in the queue.

  • Number of Events Pending – displays the total number of pending role change events in the queue. If timeout is not defined, Role Propagation task completes only after propagating all the events. If timeout is defined, there could be pending events in the queue even after successful completion of this task.

  • Number of Events with No Impacted Identities – displays the total number of events which are not impacting on connected identities. This event count is based on those bundles which are not directly assigned to the identities.

  • Role change events are propagated sequentially and are not consolidated to cancel out redundant changes.

  • If Refresh Identity Task is run before Role propagation task, and if it adds any entitlement as part of role changes, processing of role change event through Role Propagation Task would be redundant.

  • In case of retry status, the transaction would be marked as failed and role propagation task would be stopped.

  • While adding an entitlement, if account is missing, transaction would be marked as failed and role propagation task would be stopped. User has to run Refresh Identity task to resolve this.

  • While processing an event, if the following exception is from target system, the task would remain blocked until the events are successfully processed.

    mandatory group cannot be removed

    This issue can be resolved by deleting the event from the database.

  • When the Role Propagation task is running, if a user creates events in database, these events are not processed by the current task. These events will be processed the next time the task runs.