Hi All, We are brainstorming on ideas to launch our access reviews in ISC as it has certain limitations on filters. our process is to not include all entitlements in reviews. to handle this, i was think about adding a metadata to each entitlement and go use that in filter for campaign but looks like i cannot search entitlements, roles or access profiles metadata. I am wondering how are others in this situation are handling the reviews. We also have to exclude certain identities from campaign too. that complicates the matter further but the search limitation of 10,000 is show stopper for us.
We had some similar problem, and below worked for us
- Use entitlement access review (Access Items)
- Generate a search query which will can bring only the entitlement that needs to be certified
- Select Certify All Identities instead of Refine Identities option
- Save the access review campaign
- Add certification filter to exclude certain identities, you can patch using API.
@Anshu_Kunal : Thank You for the response.
I kinda did a POC on what you just suggest couple of months ago but I was not sure if that will work either because when I queried for items that I need to be included, the search query returns only 10,000. Wonder how it worked for you? is that number returned by query not right? Please look at the image I attached here for your reference.
I took a very unconventional way of creating a campaign for a reviewer so I one campaign will have only one certification unless reassigned to multiple reviewers after its in reviewers queue. of course, this is all thru APIs but I know that all items we need are reviewed and only the identities that needs reviewing in IDN.
–
Hi @lampard08 , not sure if I got this correct. How about adding tags to the only entitlements that you want to certify?
Metadata is searchable, it’s just not really documented yet. Here is an example:
accessModelMetadata.value:someValue
Use the search page auto complete understand the different keywords that are searchable for metadata.
Cannot use tags. tags has a limitation too:
There are limits to tags:
- You can have up to 500 different tags in your tenant.
- You can apply up to 30 tags to one object.
- You can have up to 10,000 tag associations, pairings of 1 tag to 1 object, in your tenant.
Thank You. I guess I can use metada for access object filtering but I still need to figure how to include (or exclude ) identities in the same campaign.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.