Hi Everyone,
I have a requirement where the assignment of entitlements to an account for EPIC target system in a particular order. Is this possible ?
Any help/ideas are appreciated.
Thank you,
Shailee
Here is a thought:
- Create a new List
- Iterate through attributeRequests and assign each Entitlement to this List
- Reorder the items in the List as per your requirement
- Remove the attributeRequests (just the entitlements) from the accountRequest
- Add the List to accountRequest
1 Like
Hi Nithesh,
Thank you for your response. Are you suggesting this to be done via Cloud rule? I am not very well familiar with using transforms or rules, so I am not sure if Iterating through attributeRequests is possible via transforms
Thanks
You can try either in Before Provisioning Rule or a Connector Rule based on the type of the Connector
Thank you Nithesh. This helps.
We are using OOTB EPIC connectors. Let us explore more.
If it is request based then you need to follow what @iamnithesh has suggested.
if it is birthright then you can manage which Role to be assigned first.
Let’s say you need to add 3 EPIC entitlements in order, Ent 1, Ent 2 and Ent3.
I would create Access profile for each Entitlement. AP1, AP2 & AP3.
Then create 3 Roles: Role1, Role & Role3
Role 1 gets assigned first.
Role 2: Add a condition that user should have Ent 1.
Role 3: Add a condition that user should have Ent 2.
There may be challenges with this approach, but it is worth to try. Note that, this is only applicable if you can assign EPIC access based on some conditions.
Hi Krishna,
Thank you.
Yes this is a possible solution, however the possible combination of entitlements is humongous and creating such huge number of roles is not possible.
Thats why, we are thinking to explore using a Connector Rule for this.
In your experience, is there any other way possible?
Thanks,
Shailee
Hi Shailee,
There are no connector Rules for EPIC connector I believe.
How is your EPIC access provisioning will be, request based or automatic based on some conditions ?
You need to use either Before Provisioning Rule or Create Roles with conditions as I have already mentioned above.
Whatever the approach you decide, since you have a lot of Entitlements, you have to write a lot of code for all the combinations. When you get new entitlements, you need to update the combinations in Rule. Remember that Before Provisioning Rule is cloud based, so you need SailPoint Expert Services help to deploy every time.
So I would suggest you to use Role based approach only though it is going to be a lot. You can manage Roles, create new Roles whenever you need.
If it is going to be request based, then create Role with only one entitlement, remaining can be added based on conditions.
You can use workflow as well which is licensed, but same story here with a lot of combinations and it will be complex.
Create Access Model, List down all the required combinations not the possible combinations. Access is always pre-defined rite what we need to provide to an application.
Thanks
Krish
We used a transform to map each role with what the DefaultLinkedTemplateID should be and added that to the provisioning plan. This did require 100s of mappings.
You may also still require a beforeProvisioning rule to handle the mover use case. Expert Services should be able to assist in providing that rule.
2 Likes
Thanks @iamnithesh . This helped!
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.