Access Profile Active Directory Entitlements Dropping off

Within our tenant we noticed that entitlements from Active Directory would drop off periodically from the access profiles. Which essentially means the active directory group stops being managed by sailpoint. We noticed this occurs when OU changes, name changes or other changes occur to the active directory group. Sailpoint does not seem to utilize the SID on active directory groups to identify them and tie them to the access profiles but instead utilizes the DN.

Any suggestions on identifying when these access profiles lose their Active directory entitlement. One of my thoughts were to try and identify and alert on access profiles that drop down to 0. Are there any suggestions how to at least identify when this occurs without having to wait until a user loses access and investigate only to find out that an entitlement has dropped off. As well as a way to potentially alert on this. I have attempted to utilize Splunk for this but there is no log from sailpoint regarding an entitlement dropping from an access profile and alerting on any change to a group within Active directory would just create and immense amount of noise. Any suggestions or ideas would be greatly appreciated

Hi @cwellman
If you’re noticing IDN losing a few entitlements when the OU of an AD group changes, maybe take a look at the group settings from the configuration page to see what’s the search scope defined for AD groups. If you think you can benefit from a broader scope, or a scope with a specific LDAP filter, try using one that accounts for the other OUs to which you see the groups moving to. That way IDN will always see the groups even if they seem to move between OUs, and potentially solve the drop off behavior.

I’m not entirely aware of alerts for changes, but consider exploring Search with one of these event types: Search Overview - SailPoint Identity Services

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.