I have configured an access item certification campaign, for access profile XXXX. I just select it, then select to review all identities, select an individual for reviewing, and save. Performing a preview, it says that there are 4 identities to review.
But, if I search @access(name:”XXXX” AND type:”ACCESS_PROFILE”) it brings about 4K identities which has XXXX access profile.
Why is this divergence? Can it be something in reviewer identity, related to scope?
@jsosa Hello, please check if that access profile is not part of some birthright role, which grants that AP to these identities that don’t appear in campaign, which you want to certify.
Hi Julian,
Is your access item certification campaign defined by a Query? if so, can you paste the query here?
have you tried same search query for certification as well, this time go with identities that returns with query and check 4k identities are able to pull. Let me know.
Hi Jason, campaign is defined just selecting this “XXXX” access profile item, then selecting to certify all identities.
Hi! Yes, I have tried both approaches: entering XXXX in the query box, and selecting XXXX access item. Both cases lead to same result: 4 identities to review, instead of the 4k identities the access profile has.
Hi Marko! Apparently yes, access profile has been granted by some birthright role.
@jsosa “Hi! Yes, I have tried both approaches: entering XXXX in the query box, and selecting XXXX access item. Both cases lead to same result: 4 identities to review, instead of the 4k identities the access profile has“
Hi Julian,
I havent tested it myself, but I wonder if the difference is between Access Profile assigned by role vs Access Profile not assigned by role (either auto-detected or directly requested)
Hi Marko! 4 identities appears in campaign preview. When configuring certification, I select access item (access profile XXXX), and then, in identity selection, I simply select All.
I can see that 4000 identities has XXXX profile in search, using @access(name:XXXX)
@jsosa The birthright role which assigns that AP, is it granted by the request (is that role requestable), or identities grant that birthright role by certain identity criteria?
-I believe that in first case (if role was granted by the request), that AP won’t be shown in campaign for these identities(SailPoint will refuse to certify that as higher layer of abstraction is upon, in this case, birthright role which encapsulates that AP), unless you select that role(which contains your AP) to certify actually.
Marko, we could confirm that problem was birthright role. We have created one as part of a solution to bulk assing some access profile to several identities. Our goal was to certificate this access, and when reviewer removes it, a workflow captures event and disable account.
So, we are removing birthright role now, we will assing access profile via script.
Thanks!
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.