Users often need to be given access based on attributes like their job title, department, or location. You can configure assignment criteria to automatically grant a role to users who should have it. This also provisions the entitlements in the role’s access profiles to each user’s source accounts.
In the best Practices section under Configuring Role Assignment (Automating Role Assignment - SailPoint Identity Services) it states this regarding provisioning the entitlements to the proper account.
- If an identity has multiple accounts on a source, you can configure access profiles to determine which account receives the entitlements when the role is assigned to the identity.
However, if the Role Assignment logic states that the user has an ACTIVE account on Source A and an ACTIVE account on Source B, how is this handled if the user has multiple accounts on Source A and Source B, such as the Following:
USER: John Doe
The expectation here is that since they have an Active account on Source A and an Active Account on Source B, that they should get the role and it would then be provisioned correctly through the Access Profile to the correct accounts.
For the Role Assignment, Do ALL accounts have to match the assignment criteria, or can just one? I could not find any details on this in the documentation, so I figured I would ask.
Hi @gmilunich! I’ve created a ticket to investigate if all accounts need to match the assignment criteria for role assignments. We’ll update this thread when that review is complete. Thank you!
Hi @gmilunich! Only one account can match. I’ve updated the Automating Role Assignment documentation to link to the directions on configuring access profiles to determine which account receives the entitlements when the role is assigned to the identity. Thank you for helping us improve the documentation!
@rachel_rigdon Thanks for that update. The issue however is with the Automating Role Assignment selection criteria (Automating Role Assignment - SailPoint Identity Services)
If the requirement to received the role automatically is:
[ User has an account on SOURCE_A with ACCOUNT_ATTRIBUTE_ACTIVE = “true” AND User has an account on SOURCE_B with ACCOUNT_ATTRIBUTE_ACTIVE = “true” ]
What happens when the user has 2 accounts of each type, where only one of the 2 accounts is active, ie:
By definition of the requirement, this situation should assign the account, as there is 1 account on each source where the attribute is “true”. In practice, it does not look like this works.
So does this mean that the Automatic Role Assignment does not handle multiple accounts? Or is there more configuration that is necessary to make this work? Either way, this could use more documentation on how to handle this.
@gmilunich Ah I see - thanks for clarifying. We’ll look into this some more to see how we can provide more clarity in the documentation.