We have a requirement to run an Identities Certification campaign. During our testing, we encountered a discrepancy that we’d like to get inputs on.
According to the documentation, “Access profiles granted through a role or lifecycle state do not appear individually in certifications.” However, in our scenario, an access profile assigned through a birthright role was added for approval in the campaign.
Let’s walk through the specific scenario:
An entitlement was assigned directly to the target system (Active Directory).
On the Identity and Access Management (IDN) system, that entitlement belongs to an Access Profile.
During aggregation, the Access Profile was detected and should be visible under the Identity.
Later, a new role was created, and the above-mentioned Access Profile was added to the Role with a defined assignment criteria.
Based on the criteria, the identity falls under the newly created role.
In this scenario, should the access profile show up in the certification campaign?
Here are some relevant screenshots that may help provide more context -
User’s roles (NOTE - All Employees is a birthright role) -
This is likely an issue with the documentation. You can actually comment on any docs article at the bottom and bring this directly to the doc team’s attention. Just scroll to the bottom and click “Continue Discussion”.
I believe in this scenario and your birthright access was a “Role” you would only be presented with the option to acknowledge the role. In your case the target object is an Access Profile contained within a ‘Role’ and the default behaviour that I have observed in out tenant is that the ‘Access Profile’ contained within the ‘Role’ is not visible in the campaign. Hope this helps