Resolution
If you have identities with multiple accounts per application, and are using Roles in identityIQ, you must design your role structure such that each entitlement inside the role is separated into it's own profile.
Lets examine the following scenario:
1- (IIQ Identity) John Doe
(account 1 on Active Directory) jdoe
(entitlement) DBA
(account 2 on Active Directory) jdoe2
(entitlement) ADMIN
2- (IT role) Super User
(profile) must have DBA and ADMIN entitlements on same app
3- If I run an identity refresh the role is NOT detected.
4- I then break up the role profile into two separate profiles like so:
5- (IT role) Super User
(profile) must have DBA on app
(profile) must have ADMIN on app
6- Now run an identity refresh and the role IS detected.
Note:
Create a cert and revoke the role from the identity.
(pre 5.2) Only one entitlement is revoked. (ETN 8048, fixed in 5.2)
(5.2) Both entitlements are revoked.