Access Requests: Approver can't view Identity's email address

We have a requirement that when an Access Request is made for an Access Profile that is part of an Access Application, it goes to a Governance Group first for approval. The Governance Group needs the Identity’s Emaill Address to look up against another system (not connected to SailPoint) to verify before approving the request. When testing this, I can see that the Identity’s Name and Manager are present, and the 3 Public Identities Config attributes that we have set up, but the email address is not visible to the Approver that I can see.

Reading through the documentation provides some conflicting information:

In the API Documentation for Public Identities Config, it states:

By default, non-administrators can select an identity and view the following attributes: email, lifecycle state, and manager. However, it may be helpful for a non-administrator reviewer to see other identity attributes like department, region, title, etc. Administrators can use this API to make those necessary identity attributes public to non-administrators.

When looking at other locations that this is used, such as Certifications, there are sections that read:

Certifications display details about identities to help reviewers make decisions about their access. By default, an identity’s email, lifecycle state, and manager attributes display. You can add up to 5 additional attributes using the Update Public Identity Config endpoint.

However, when I review the Access Request documentation, there is a note here that reads:

By default, the user’s display name and their manager’s email display in the Identities tab. You can add up to 5 additional attributes using the Update Public Identity Config endpoint.

This does NOT include the Identities Email address, but does include the Public Identities Config attributes. This does not seem to follow suit with the existing functionality of the Public Identities Config.

So the question is, how do we get the Identity’s Emaill Address on the Access Request for the Approver to see?

The only options I can see is to add it to the Public Identity Config and one of the 5 available attributes, but this is not the desired approach since it is already displayed in the other areas this configuration is used. It also takes up 1 of the 5 available attributes we can use.

So is there another option for getting the email that others have used? It is preferred to have the email visible through ISC so the Approver does not have to go to an external application to get the attributes.

2 Likes

Hi @gmilunich ,
You can get identity attributes in Access Request Reviewer notification instead .
Please follow this post Retrieve identity attributes in Access Request Reviewer notification

I took a brief look at that, and it seems like it could be a work around, however it is less than idea, as the email is not visible in ISC with the request. It will require the user to go back and search their email for the the message to look up the email, which can be cumbersom for someone who gets many requests.

I updated the initial post to include the “In ISC Preferred” requirement. I will still propose your suggestion to the group next week, and if that ends up being the chosen path, I will come back and update this.

Created an Idea for this: https://ideas.sailpoint.com/ideas/GOV-I-3866

2 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.