Hi All,

We have IDM 4.6 in Windows and we have AD, SAP, Mainframe etc drivers. We have role based provisioning method in target application to assign groups in AD and roles in SAP systems.

We have issue in Group method of role provisioning. Example: we have 50 SAP roles in IDM, each mapped to 1 respective resource (tech role in SAP).
In that 50 roles, 2 of the roles are assigned using group membership.

Like: SAP001 role is assigned to Group001 in IDM. So if any user is added to the Group001, the user gets the SAP001 role in SAP.

But we have an issue in this type of assignment. We could see when the role is assigned the Dirxml-EntitlementRef attribute gets updated with entitlement info and status code #1#. 1 means provisioned.

After few days, the entitlement ref value for the Group based role becomes '0' and this removes SAP role in Target.

When I see the roles assigned in IDM, IDM shows that the user has the role but in SAP it is not assigned.

SO, we see that the entitlementref attribute for group base role becoming zero after some time. We have seen this issue lot of times for other Group roles aswell.
And we do not have any logs in eDirectory how did it become zero.

Kindly help, if this type of group based role assignment is recommended and why it the entitlementref attribute bcomes zero and the reason.

Thanks in advance