Access Profiles in Identities Certification Campaign

Hello Everyone,

We have a requirement to run an Identities Certification campaign. During our testing, we encountered a discrepancy that we’d like to get inputs on.

According to the documentation, “Access profiles granted through a role or lifecycle state do not appear individually in certifications.” However, in our scenario, an access profile assigned through a birthright role was added for approval in the campaign.

Let’s walk through the specific scenario:

  1. An entitlement was assigned directly to the target system (Active Directory).
  2. On the Identity and Access Management (IDN) system, that entitlement belongs to an Access Profile.
  3. During aggregation, the Access Profile was detected and should be visible under the Identity.
  4. Later, a new role was created, and the above-mentioned Access Profile was added to the Role with a defined assignment criteria.
  5. Based on the criteria, the identity falls under the newly created role.

In this scenario, should the access profile show up in the certification campaign?

Here are some relevant screenshots that may help provide more context -

User’s roles (NOTE - All Employees is a birthright role) -

User’s Access Profiles -

All Employees - Role access items -

Identities Certification Campaign -

As you can see that “All Employees” Access Profile is visible under the campaign which is part of the birthright role.

Is this expected behavior? Is there a scenario where it is possible?

We’d appreciate your guidance.

@colin_mckibben @derek_putnam @tyler_mairose - could you help me to find solution for this?

Can you please link to the documentation where this is mentioned?

Link to documentation - https://documentation.sailpoint.com/saas/help/certs/understanding_certifications.html

This is likely an issue with the documentation. You can actually comment on any docs article at the bottom and bring this directly to the doc team’s attention. Just scroll to the bottom and click “Continue Discussion”.

1 Like

@colin_mckibben - you did mention that it is likely a documentation issue. What is the expected/default behavior in this scenario?

I believe in this scenario and your birthright access was a “Role” you would only be presented with the option to acknowledge the role. In your case the target object is an Access Profile contained within a ‘Role’ and the default behaviour that I have observed in out tenant is that the ‘Access Profile’ contained within the ‘Role’ is not visible in the campaign. Hope this helps :slight_smile:

2 Likes

With this in mind out may be worth regenerating the campaign and perhaps reaching out to support for assistance.

Hey @sk8er23 - that is what we observed when we tested on other tenants.

@poornasai perhaps one for support, the behaviour may be different if you define the access profile directly to be reviewed in a campaign.

We have opened up a ticket with Support.