Assign Entitlement Directly and Remove Entitlement from Business Role

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Assign Entitlement Directly and Remove Entitlement from Business Role

We had set up Business Role 1 with Entitlement A.

However, we want to change to directly assign Entitlement A to the users of Business Role 1 and then remove the Entitlement A from Business Role 1.

We tried this, but get an error message saying the Entitlement A is already assigned to the user. We need to make these changes without the user losing any access. There are several hundred users that are impacted by these types of changes from Business Roles to Directly Assigned.

Is there a way to enable this change?

2

Hi @dabrus

Welcome to SailPoint Developer community.

Looks like you don’t want any Roles for this Entitlement assignment, not even IT Roles ?

Thanks
Krish

1 Like
3

The Business Role has multiple entitlements (A, B, C, D, E, F, G).
But we want to pull Entitlement A out of the Business Role and assign it directly.

To prevent loss of access, we tried to Assign Entitlement A to the user, but it gives an error saying Entitlement A is already assigned to the user (it is via the Business Role).

If we remove Entitlement A from the Business Role, then the users will lose access until the Entitlement A is approved and applied to each user directly.

4

@dabrus
As the entitlement is assigned as part of the role, the granted by role flag is set to true. To achieve your use case, you need to remove the entitlement from the role, run the role change propagation and assign the entitlement directly.
Note: This will have a access related to issue, but you can plan it over a non working day.

5

Got it.

It takes time to process removal of entitlement for all users when you remove from Business Role. I don’t see a way without losing access.

At the moment, I think of

  • Disable the LCM email notifications on entitlement removal
  • Remove Entitlement from Role
  • Process the changes
  • Run a Batch Request without approval to quickly add same Entitlement for all users, you can get users from Role Membership Report.

Thanks
Krish

2 Likes
6

Hi @dabrus,

Have you tried below two options from global setting to achieve your use-case.

image

Thanks

7

I appreciate your insights and options.

So there is no way option to override the Entitlement Check?
Ie. Allow an Entitlement to be Added Directly first (essentially a duplicate entitlement). Then remove the Entitlement from the Role. This would eliminate any access outage for the user.

8

Hi @dabrus,

There is no direct way by which where user can have two set of entitlement.

Also, if the provisioning is enabled then there is no way you can directly add and remove entitlement without removing access.

To achieve it in ideal case you may stop provisioning then do the transition, but it will have a lot of change and failure points so practically should not be implemented.

Thanks

1 Like
9

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.