Users often need to be given access based on attributes like their job title, department, or location. You can configure assignment criteria to automatically grant a role to users who should have it. This also provisions the entitlements in the role’s access profiles to each user’s source accounts.
In the best Practices section under Configuring Role Assignment (Automating Role Assignment - SailPoint Identity Services) it states this regarding provisioning the entitlements to the proper account.
- If an identity has multiple accounts on a source, you can configure access profiles to determine which account receives the entitlements when the role is assigned to the identity.
However, if the Role Assignment logic states that the user has an ACTIVE account on Source A and an ACTIVE account on Source B, how is this handled if the user has multiple accounts on Source A and Source B, such as the Following:
USER: John Doe
The expectation here is that since they have an Active account on Source A and an Active Account on Source B, that they should get the role and it would then be provisioned correctly through the Access Profile to the correct accounts.
For the Role Assignment, Do ALL accounts have to match the assignment criteria, or can just one? I could not find any details on this in the documentation, so I figured I would ask.