Assigning Business Roles Based on Existing Entitlements

Which IIQ version are you inquiring about?

8.3p5

Share all details about your problem, including any error messages you may have received.

We’re using a SCIM 2.0 connector for Oracle in our SailPoint IIQ environment. Initially, it was configured to manage only external (staff) users for provisioning and de-provisioning. However, the connector was also aggregating accounts for internal users and bringing in their entitlement data, even though those users weren’t managed by IIQ at the time.

We’ve now extended the connector to manage internal users as well. All Oracle entitlements have been mapped to appropriate business roles within IIQ.

I already have the data on which Oracle entitlements each internal user holds. I’m now looking for the best way to assign business roles to these users based on their current entitlement memberships—so their access can be governed and maintained by SailPoint moving forward.

Could anyone advise on:

• The best approach for assigning business roles in bulk based on existing entitlements?
• Whether this should be handled via a rule, identity refresh, or another mechanism?

Any guidance or best practices would be greatly appreciated.

Thanks,
Karan

You could do it through an IdentitySelector on the business role, it’s basically how we birthright roles to users. Assuming your IT Role will be detected because the profile matches your entitlement, the IdentitySelector will assign the business role if the user has the IT Role on an Identity Refresh.

Here’s a generic sample of the Business/IT Role that you would need to define:

<Bundle displayName="MyRole" name="MyRole" type="business">
  <Owner>
    <Reference class="sailpoint.object.Identity" name="spadmin"/>
  </Owner>
  <Requirements>
    <Reference class="sailpoint.object.Bundle" name="MyRole - IT"/>
  </Requirements>
  <Selector>
    <IdentitySelector>
      <MatchExpression>
        <MatchTerm name="bundles" type="IdentityAttribute" value="MyRole - IT"/>
      </MatchExpression>
    </IdentitySelector>
  </Selector>
</Bundle>

<Bundle displayName="MyRole - IT" name="MyRole - IT" type="it">
  <Owner>
    <Reference class="sailpoint.object.Identity" name="spadmin"/>
  </Owner>
  <!-- Profile of your app -->
</Bundle>

Hi @sunny_tsang,

Thanks for the suggestion! That approach makes sense where the IT role is already present on the identity.

In our case, however, the situation is a bit different — the internal users have aggregated accounts, and their entitlements are visible in SailPoint (via account aggregation), but no IT roles are currently assigned to them.

We’ve already mapped the Oracle entitlements to IT roles via role profiles, and those IT roles are also linked to business roles. Now, we want to assign business roles to existing users based on their current entitlement memberships, so we can bring their access under SailPoint governance.

Could you please suggest how best to assign business roles retroactively based on current entitlements? Is there a way to trigger role profile matching or another way to automate this assignment in bulk?

Thanks again!

If you define the entitlements on your IT roles, then a refresh should detect them on your users. It will probably take two identity refreshes. Also make sure to uncheck the box “Refresh only identities marked as needing refresh during aggregation” so that all users are processed. The first refresh would detect the IT role and add that to the user, and the second one would assign the Business role.

As another alternative, you can use the batch request feature to bulk assign your users. I’m sure you can identify which users need to have the Business role assigned and then initiate a batch request to do the assignment:

image178×441 8.72 KB

The csv format to do a batch request would look like (see the Lifecycle Manager documentation for further examples):

operation,roles,identityName
AddRole,MyRole,spadmin

Hi @sunny_tsang,

Thanks again for the help!

As a follow-up:
I’d like to extract a list of identities along with the entitlements currently assigned to them, either from the UI or the database.

We’re using a SCIM 2.0 connector for Oracle, and while the entitlements are visible in the aggregated account details in IIQ, I’m not sure what the cleanest method is to extract that data in bulk.

From what I understand, IIQ doesn’t store entitlements in a separate spt_link_entitlement table — they’re embedded as multi-valued attributes in the spt_link.attributes column.

Could you advise on:

• Whether there’s a built-in report/task that outputs identity-entitlement mappings?
• Or how best to query the database to extract entitlements from spt_link.attributes (e.g., if it’s stored as XML, JSON, or serialized Java Map)?

Looking for something I can use to build a user-to-entitlement mapping as a foundation for role assignment.

Thanks in advance!

Hi @KaranGulati25

There are multiple OOTB reports templates which you can use for the user entitlement reports.

Intelligence – > Reports – Report

Category: Identity and User Report

for example:

• User Details Report – A detailed view of users currently detected by IdentityIQ
• Identity Entitlements Details Report – Displays identity/account entitlement report
• Users by Application Report – A detailed view of the users in the system categorized by the applications that they belongs to.

Category: Role Management Reports

• Identity Roles Report – Displays the roles that each identity is member of.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.