IIQ Version : IdentityIQ 8.4p1
Issue Description:
Identity have assigned business role but missing some provisionable entitlements, the entitlements that are provisioned successfully shows as additional entitlements.
Issue Example:
Business Role: BR_1 (Assigned on Identity)
“BR_1” has IT Role: IT_1 (Not Detected on Identity)
“IT_1” has Entitlements:
- APP_1_ENT_1 (Provisioned, but marked as additional entitlement)
- APP_1_ENT_2 (Provisioned, but marked as additional entitlement)
- APP_1_ENT_3 (Provisioned, but marked as additional entitlement)
- APP_2_ENT_1 (Provisioned, but marked as additional entitlement)
- APP_2_ENT_2 (Provisioned, but marked as additional entitlement)
- APP_3_ENT_1 (Not-Provisioned, failed to provision)
Summary:
We are interested in implementing identity risk scores, but experiencing behavior that we are having trouble correcting. In our lower environment we noticed that some Identity have significant risk score because of their additional entitlements. We looked into these additional entitlements and discovered that many of the additional entitlements were entitlements that were detected and assigned to a role.
According to the IdentityIQ Identity Risk Scoring documentation, additional entitlements are defined as “entitlements that are detected on Identity, but are not part of any of the roles assigned to that Identity.” Based on this definition, some of the additional entitlements we have are marked erroneously and it doesn’t seem to align with the definition of additional entitlements in the IdentityIQ documentation.
We have a high interest in using risk scores and leveraging additional entitlements as a contributing factor, but entitlements that are marked as additional entitlements must truly be entitlements not assigned by any role for us to accurately get a risk score.
Questions:
Is this how IdentityIQ behaves on additional entitlements for assigned roles entitlements ?
Is there a way to NOT mark these partially detected entitlements from assigned role as additional entitlements ?