Access request denied

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Hello All,

I have configured a web services application in sailpoint IIQ and ran Acc + Acc grp Aggregations

I have couple of questions

  1. All the entitlements are coming as requestable in Entitlement catalogue
    is this defalut behaviour of IIQ
  2. to make Entitlements as non requestable I have added the ManagedAttributeCustomization rule with Attribute.setRequestable(false);

re run acc grp Aggregation found entitlements are still in requestable state found out the rule wont work for already present entitlements it will only work for new entitlements

is there any work around for this
like export those entitlements for catalogue make changes and import or write some rule to delete apps entitlements

  1. when requesting one of the requestable entitlement which has no owner im seeing Access request as denied and inside access request > items > Approval status rejected I have no idea about this can any one help me in finding all these answers please

thanks in advance

avi.

2

Hi @amulpuru

You can make entitlements non-requestable through GroupAggregationRefresh rule which will be available in your Account Group Aggregation task.

There you can set the flag for required entitlements as -

accountGroup.setRequestable(false);

Thanks,
Harshith

1 Like
3

Hi @amulpuru,

If there is no entitlement owner for an entitlement, then the approval goes to the Application Owner to which the entitlement belongs, if the approvalScheme in LCM Provisioning contains ‘Owner’.

The approvalStatus ‘Rejected’ in the access request indicates the approval for the requested entitlement is rejected

2 Likes
4

Hi @amulpuru

In SailPoint IdentityIQ, entitlements are automatically set as requestable when they’re added to the Entitlement Catalog during account group aggregation. This is the default behavior.

To make existing entitlements non-requestable, you can use a script to update them in bulk. :backhand_index_pointing_right: Please check this link for details: Setting existing entitlements in the entitlement catalog to false - Compass

3 Likes
5

Hi @Chathurya ,

thanks for the reply
I see the application owner as spadmin and I dont see any workitem generated for spadamin

I do suspect can we have any rule /setting in global that any approval went to spadmin will be auto rejected something like that any idea on this
will help me progress

thanks in advance

6

Hi @amulpuru,

By default, there is no rule/setting to auto reject the work items owned by spadmin.

As you said there is no work item generated for spadmin , can you check if there are any owners in the interactions tab in the access request. The owner in the interactions tab are the owners for the approvals for that access request. So, we can investigate it further.

7

Hi @Chathurya ,

im not aware of this interactions tab can you please guide me im more of ISC person

8

Hi @amulpuru,

To see the interactions in the access requests, you need to click on My Work → Access Requests → Details.

In the interactions you can find the owner who is responsible for approval of requested access and status of the approval

1 Like
9

Hi @Chathurya ,

only requested items are there

every other thing i.e interactions ,filters ,provisioning engines has no RESULTS

10

Hi @amulpuru,

By default, If the requested user and approver are same, then the work item won’t be created and request is auto approved.

Could you please let me know if you requested the access as spadmin and approvalScheme value in LCM Provisioning.

Try requesting the access as another user, and let me now if the workitem is getting generated or not.

If possible, could you attach a screenshot of the access request and the request item in access request.

11

Hi @Chathurya ,

I have logged into my Account and requesting Entitlement for some test user

12

Hi @amulpuru , Check your LCM Provisioning workflow(Setting→LifecycleManager→Business Processes→Request Access entry) and see if any assignment rule is getting referred . Verify if any customization is there for same .

13

Hi @amulpuru ,

Is there any difference in the behaviour of the approvals, is the approval getting generated and going to spadmin for the test user for whom you have requested from your account.

If there is any difference, like the approval requested by spadmin is getting auto rejected, then check for any customization in your LCM provisioning workflow

14

Hi all ,

thanks for your replies

after adding the value against the extended Attribute extApprovalType in Entitlement it got triggred some manual work item for system administrator after approval for change is complete it started working as expected

thank you al for your valuable inputs

15

A simpler way to set all the entitlements to be non-requestable is to navigate to Applications > Entitlement Catalog in the UI, then click the “Export” button, and export the entitlements that you need to change. This will give you the entitlements in a CSV. You can then update the requestable flag and import the modified CSV.

There also seems to be a non-code way to prevent the entitlements from being set as requestable by default. It is poorly documented, but the constant Application.ATTR_NOT_REQUESTABLE_ENTITLEMENTS can be set in the Application attributes to applicationLevel or schemaLevel . Based on my observation, setting this to applicationLevel will make all newly-created ManagedAttributes non-requestable by default for the application. I expect that setting it to schemaLevel allows you to specify the default requestability at the schema-level. Schema objects can have a config attribute with the same name (constant Schema.ATTR_NOT_REQUESTABLE) that can be set to true or false.