Account Creation Without Entitlements in SailPoint ISC

In SailPoint ISC, the standard behavior enforces that accounts must be associated with at least one entitlement to be created successfully. However, through a specific configuration it’s possible to bypass this limitation and create accounts without any entitlements.

Demonstrated Workflow

performed the following steps:

• Created an account without assigning any entitlements.

• Marked an attribute (e.g., accessLevel) as an entitlement.

• Ran entitlement aggregation—the attribute was pulled in as a valid entitlement.

• Later, removed the attribute from the entitlement definition.

• Ran account aggregation again.

• Entitlements will be there and we get error in that entitlement aggregation as we removed that entitlement type in account schema

• in events you can see only create account will pass as we removed entitlement type in account schema

Screenshot 2025-08-13 0113031398×462 27 KB

Screenshot 2025-08-13 0113261545×762 33.2 KB

If You Use These Following entitlements you will see only create account will be passed

Screenshot 2025-08-13 0113591460×720 43.3 KB

image1840×705 37.8 KB

image1866×807 35.9 KB

• Created an account without assigning any entitlements.

How to do this in reality?

we can create account only when we request for access right?

@Chaithu9110 - how is this realistic? Also, it enforce security by requiring at least one entitlement