AD groups then user should be provisioned to other sources like MSSQL source

Hi Team,

We need to implement below feature.

1. If user is member of specific AD groups then user should be provisioned to other sources like MSSQL source with some roles/entitlements.

Can we implement the above feature using access profiles tied to AD groups and when user raises request for access profile then user can provisioned to MSSQL source with some roles/entitlements

Thanks
Kalyan

@kalyannambi2010 Yes, you can do it exactly with the below steps. Create a new role with membership criteria as below:

• Type - Entitlement
• Source - your AD source name
• Operation - Equals
• Entitlement - Here, select the AD group names for which you wan to check the membership for granting MS SQL access

Once this criteria is defined, go to Manage Access tab in the role to add the MS SQL source related entitlements/access profiles and then - save the role, enable the role

With this, whenever an identity has access to the AD groups you’ve defined in this role, the criteria is satisfied for such identities and MS SQL source related entitlements/access profiles are provisioned to the identities.

Similarly, the more number of sources you need to provision the identities to, you can add those many entitlements/access profiles to this role under Manage Access tab.

Thanks,
Arshad.

This can be achieved through Role provisioning using the assignment criteria, where the AD group will serve as the entitlement criteria.

Hi @kalyannambi2010 you mention that the AD access profile is requestable. Have you thought of creating a requestable role instead which contains the AD AP and any other APs, eg MSSQL, which are required too?

Hi @j_place could you please more details on this?

1. Do we need to create AD access profiles and MSSQL access profiles tied to a requestable role.

How the user will be provisioned to MSSQL source?

Thanks
Kalyan

Hi @prashanthrns could you please more information on this ?

1. We need to create an access profile tied to AD groups and whenever the user request for an access profile is fulfilled automatically user will be provisioned to MSSQL source?

Thanks
Kalyan

Hi @Arshad could you please more information on this ?

We need to create an access profile tied to AD groups and whenever the user request for an access profile is fulfilled automatically user will be provisioned to MSSQL source?

Thanks
Kalyan

That’s correct @kalyannambi2010

In this scenario, you would be creating requestable Access Profiles which are mapped to AD groups as underlying entitlements. Now once a user makes a manual request for this access profile, the access profile is assigned to the identity where the underlying AD groups are assigned on AD account.

Now, as per my solution above, you would be creating a membership criteria based role where the criteria is to check the entitlements on the identity (which were provisioned earlier with access profile request). And this role would check the entitlements on the identity (in this case, your AD groups) and once found, it would provision the MS SQL source based entitlements mapped in that role in a automated fashion.

Thanks,
Arshad.

Hi @Arshad thank you for the details and where we can specify membership criteria based role under which tab in ISC?

Thanks
Kalyan

Inside your role, navigate to Define Assignment tab where you can create your criteria there as per my solution above.

Hi @Arshad I think there is no option for access profiles to be added under Define Assignment tab and where we can add access profiles?

Thanks
Kalyan

What you’ve asked here is about how to membership criteria, correct?

And here is my response on how to add criteria to the role.

This is a different question. To add either Entitlements (or) Access Profiles into a role, you would do it in Manage Access tab inside the role.

Hi @Arshad thank you for the details.

1. If the user is provisioned to AD groups based on access profiles through request center then how the will be provisioned to MSSQL sources with some roles/entitlements if we do not add access profiles under role Define Assignment. Where can we add access profiles so that user will be provisioned to MSSQL sources with some roles/entitlements.

Thanks
Kalyan

@kalyannambi2010 Here’s how it works:

1. You need to setup a role with the above mentioned membership criteria. This role needs to have corresponding MS SQL related entitlement (or) access profiles mapped under “Define Assignment” page. Enable the role.
2. Now on a separate note, you would already have Access Profile mapped to AD groups.
3. Please understand that the role contains MS SQL access only and Access profile contains AD groups only. Both these are separate.
4. Now, you request access profiles containing AD groups through Request Center for an identity.
5. Identity gets assigned with the access profile and underlying AD groups in the access profiles are assigned on the AD account.
6. Once the identity is assigned with the requested access profile, the identity gets refresh automatically and during this refresh, ISC will identity that the identity satisfies the membership criteria of the new role containing MS SQL related access.
7. The role containing MS SQL access gets provisioned automatically.
8. The membership criteria that you would define in the role would make it an automatic role assignment. No manual intervention would be required.

This is how the flow would be. You don’t need to map the MS SQL related entitlements in your AD groups related access profile. Because you will be mapping them into a separate role that gets auto assigned based off the criteria.

In your case:

• Access Profile would be mapped with AD groups
• Role would be mapped with MS SQL entitlements along with a membership criteria.

Hope that makes sense?

Thanks,
Arshad.

Hi @Arshad I have followed the below steps:

1. I have created a new role “Sample”.
2. Under “Manage Access” tab I have provided “MSSQL source entitlement/access profile”.
3. Under “Define Assignment” I have provided “AD source group”
4. Enabled the newly role “Sample”.
5. Click on “Apply Changes”.

getting below error.

[“Unable to process database user provisioning for user- null Reason: sailpoint.connector.ConnectorException: Provide valid database name.”,“Unable to process database user provisioning for user- null Reason: sailpoint.connector.ConnectorException: Provide valid database name.”]

Have you configured provisionining related configurations on your MS SQL source? The create provisioning policy, the JDBC provisioning rule etc. If not, then provisioning to your JDBC source wouldn’t work.

This happens when you JDBC source configurations are incomplete.

Here are some useful resources you can refer and validate your configs:

• Integrating SailPoint with JDBC
• JDBC Provision Rule | SailPoint Developer Community
• create-provisioning-policy | SailPoint Developer Community

Hi @Arshad

it is not JDBC connector type but of MSSQL connector and which rules we can use then for provisioning? I think we are not going to create any new accounts but associating based on the roles assignment?

We are using below OOTB for account creation.
$(firstname).$(lastname)$(uniqueCounter) for Create Unique Account ID

@kalyannambi2010 Can you confirm if the test connection on you MS SQL connector based source is successful and working? Additionally, also confirm if the full account aggregation is working on your MS SQL source and you’re seeing the accounts aggregated successfully?

Hi @Arshad test connection and full aggregation working fine. Observed looks like accounts are getting created but getting error like " Create Account Failed", " Add Entitlement Failed" and no roles/entitlements associated with the accounts.

[“Unable to process database user provisioning for user- null Reason: sailpoint.connector.ConnectorException: Provide valid database name.”,“Unable to process database user provisioning for user- null Reason: sailpoint.connector.ConnectorException: Provide valid database name.”]

Thanks

With the error message, its mentioning that you have not specified the database name correctly in your configuration. Can you show how the Connection Setting > Database URL is configured on your MS SQL source?