Hello,
I would need some advice for how to manage source target catalogs with many entitlements.
Let’s take for example the Atlassian target.
Atlassian has within it some “daughter” applications like Jira and Confluence.
Aggregating the Atlassian target we have a lot of ProjectRole type entitlements and some Group type entitlements.
My idea is to create:
An access profile for each ProjectRole type entitlement and Group type entitlement and make them requestable
A logical application for Jira and one for Confluence and associate within them only Jira related access profiles and Confluence related ones.
Is it then a good idea to make the entitlements ALWAYS nonrequestable but always create relative access profiles that are requestable ?
What is the best way to handle applications like these ?
Yes I would recommend that. Many orgs doesn’t enable Entitlement requests.
As it would be too much of work to make the entitlements requestable. Also it is not easy for end users to choose which entitlement they need to request for.
Instead go with Access Profiles with collection of entitlements as per your access requirements, with proper business names and descriptions. Instead of choosing from a range of access, end users can simply click on the application and choose from limited set of Access.
If you would like to automate access then go for Roles.
Ok,
but for example in Jira we have 200 project and 10 roles for every project so 2000 entitlements (atlassian connector create entitlements with combinations of project+role).
The end-user can request to partecipate to any project and with any role so the catalog must be 2000 Access Profiles.
What is the best approach to to this ?
Create a workflow that generates an Access Profile per every new entitlement ?
Create a external script that generates an Access Profile per every new entitlement ?
Because if a new project is created in Jira, at least 3 new entitlements are aggregate in Sailpoint and I need every time manually create 3 Access Profiles, add manually the approver and enable it. Maybe is present a smarter way to do this.
Yes, but the problem of using Entitlement only are:
It’s not possible create logical Applications. This is allowed only with Access Profiles
There is a bug in Sailpoint - if you request directly an entitlement and then you create an access profile with inside this entitlment will be impossible remove the access profile (also with recertification campaign). The only way to remove the access profile is via Admin section.
I understand that, we need to compromise somewhere rite, there is no perfect approach. I would go with Access Profiles as I would have control on what access my org can see/request.
