I was wondering if anyone else has run into access profiles losing entitlements without notification after a rename?
We had an AD entitlement/group that was renamed on the source, and when we aggregated the entitlements for that AD Source, I noticed that the Access Profile that was initially configured with that entitlement was no longer. I checked the users, and the users still retained the renamed AD entitlement/group and still had the access profile (Since they had the other access required still)
This seems like it could be a big issue if the Source Teams rename entitlements and they drop from Access Profiles without notice. Unsure if it happens with other sources besides AD or not.
IdentityNow uses the Distinguished Name (DN) as the unique identifier for entitlements. If the Common Name (CN) or Organizational Unit (OU) of an entitlement is modified directly in the source system, IdentityNow will treat it as a new entitlement. As a result, any existing configurations in IdentityNow associated with the old DN will no longer apply to the entitlement with the updated DN.
This impacts access profiles, roles, approval workflow, requestable configuration…
Correct, but it should not be removed without notifying the admin that the configuration changed. Otherwise an AD admin could rename a group and it could be removed from the access profile without the knowledge of the IAM team/admins
With @christina_gagnon’s help, we determined that there is an Email that goes out to ALL Identities in the IdentityNow Admins source when this happens with the details. In my case, this was getting filtered to another folder in the joint mailbox.
I still would like to see a notification in the UI when the admin logs in, or views the Access Profile noting the change. I will be adding an Idea to the Ideas forum and will link it here.
@mnstig SailPoint has always used the DN back into the early IIQ Days. There was a time when they attempted using objectGuid, in the IIQ 7.x era, but it caused issues and was rolled back.