We have a requirement that when an Access Request is made for an Access Profile that is part of an Access Application, it goes to a Governance Group first for approval. The Governance Group needs the Identity’s Emaill Address to look up against another system (not connected to SailPoint) to verify before approving the request. When testing this, I can see that the Identity’s Name and Manager are present, and the 3 Public Identities Config attributes that we have set up, but the email address is not visible to the Approver that I can see.
Reading through the documentation provides some conflicting information:
In the API Documentation for Public Identities Config, it states:
By default, non-administrators can select an identity and view the following attributes: email, lifecycle state, and manager. However, it may be helpful for a non-administrator reviewer to see other identity attributes like department, region, title, etc. Administrators can use this API to make those necessary identity attributes public to non-administrators.
When looking at other locations that this is used, such as Certifications, there are sections that read:
Certifications display details about identities to help reviewers make decisions about their access. By default, an identity’s email, lifecycle state, and manager attributes display. You can add up to 5 additional attributes using the Update Public Identity Config endpoint.
However, when I review the Access Request documentation, there is a note here that reads:
By default, the user’s display name and their manager’s email display in the Identities tab. You can add up to 5 additional attributes using the Update Public Identity Config endpoint.
This does NOT include the Identities Email address, but does include the Public Identities Config attributes. This does not seem to follow suit with the existing functionality of the Public Identities Config.
So the question is, how do we get the Identity’s Emaill Address on the Access Request for the Approver to see?
The only options I can see is to add it to the Public Identity Config and one of the 5 available attributes, but this is not the desired approach since it is already displayed in the other areas this configuration is used. It also takes up 1 of the 5 available attributes we can use.
So is there another option for getting the email that others have used? It is preferred to have the email visible through ISC so the Approver does not have to go to an external application to get the attributes.