I have been tasked to provide application owners a view of the applications they are an owner of in SailPoint IIQ. They need to have the ability to view the application aggregated accounts that have access to their application.
In our environment we have Workgroups assigned as application owners. Each workgroup has one or more application owners as members. The membership of these groups are populated via an API call to LeanIX which is the source of truth for application owners.
I am looking for design ideas on how this could be implemented.
@SeanGallagher91 You can assign “Application Administrator” capability to the workgroup. It will allow them to manager all applications. If you want to provide a read-only access, create a custom capability and assign “ViewApplication” SPRight. Assign this capability to the workgroup.
Hope this helps.
Thanks Pragati/Naveen. Is there a way I could do this automatically instead of having to manually assign the capability to the workgroup? All of our workgroups that are application owner workgroups do follow the same naming convention, if that helps.
Yes that’s possible. If you have a workgroup sync job , if not create a task for workgroup sync for whichever application you want to sync it like AD.
Create a Role in Sailpoint iiq, add the group membership to the role. Make sure the membership group and workgroup should be the same, so that it sync.
When user raises a request and it approves, user gets added in the membership group, and then you run the sync and user gets synced to the workgroup. The workgroup has the capability already assigned.
@SeanGallagher91 To achieve this you need to first of all configure the Loopback connector to make workgroups requestable and available in roles. Doing this you can also configure workgroups as user requestable or dynamically map it with roles. You can also enable approvals to make them more compliant. This will also allow you to automatically remove users from workgroups during transfers or terminations.
Note: Found a fix? Help the community by marking the comment as solution. Feel free to react(, , etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
, 
, etc.) with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.