Hi All,
What is the recommended approach for leveraging SailPoint ISC to manage access requests?
In our legacy system, access requests follow a hierarchical model, users search for an application, and the system displays a list of roles associated with that application. I attempted to replicate this behavior in ISC using Applications and Access Profiles.
Is there a way to explicitly link Roles to Applications in ISC to maintain a similar hierarchical request structure? Instead of giving list of all the requestable roles available.
Any guidance or suggestions would be greatly appreciated.
No In ISC you cannot include roles in applications. Roles can be requested directly. I know this is an option in IIQ but not in ISC. You can define your role with the app name as the starting prefix and allow the user to search with the app name so that user will get all the roles of that app.
Well if you have to request access only for one application then you can define an application and add the access profiles. This way user will first search for application and select the access that is required.
Thanks @HussainshaSyed001 - Requirement is to let user first select application and then select role. It’s same as attaching APs to Application, But instead we want to attach Roles.
Girish, it is not possible to select application and then roles because:
A role can have access profiles or entitlements from various apps. The word “various apps” means does not make any meaning of first select app and then roles. That is how ISC roles works.
I can suggest you post this idea in idea portal of sailpoint so that they may consider in future this feature having roles app dependent as well.
Hi @udayputta - Thanks for your response. I am thinking of creating role assignment criteria based on Entitlement of the application. So this way users will raise request by selecting the application & selecting AP. Post AP is provisioned then Role assignment will kick in and grant access to role. Let me know your thoughts on this.
If you have to definaltly assign additional access along with for say ABC application access, then just go with roles (having all the entitlements from different apps) as requestable objects instead of assignment based. With this approach you do not need to maintain roles, access profiles and applications seperately and when the user needs the access they will get it using roles together. I feel this approach will reduce your access item maintenance and would be easier to add or remove the roles.
Hi Girish,
Along this implement segments concept also This helps in creating a more tailored and secure access request experience. To implement this hierarchical structure for access requests:
Nice demo url , Sailpoint partner company.
