Hello Everyone,
We are seeing something quite strange in our Search-based certification campaign we just launched. So at the moment, we have an AD group with 11 users and i can also confirm that the AD group is also showing 11 identities in SailPoint when i view it from the entitlement tab and also from the search UI. However, when we generate/launch the certification campaign, only 5 identities are coming up. The campaign seems to be omitting 6 identities when we generate/launch it.
As a troubleshooting steps, i can confirm the following details are correct:
Hi @Otunba_skillz
You’re certifying an AD group, which is just an entitlement. I’m not sure if “Manager Certification” is the right choice. Instead, you can use a search-based “Access Item” certification and search the entitlement name in double quotes to get the exact result.
Hi @Otunba_skillz
Could you Please check whether the Ad Groups for other 6 identities were coming as direct entitlements or coming as underlying access of Accessprofiles or Roles, if coming as underlying access it will not appear in certifications as separate Access
Hello Rohit,
Thanks for your response. So for clarity, what you explained is exactly what I did. The certification campaign is a search-based access item campaign. I have edited my post to reflect this
Hello Tulasi,
The other 6 identities got the entitlement via a SailPoint Role.
However, we would have thought doing an access review only on that entitlement as well will bring up all 11 identities for review. At this stage, we do not want to run a campaign on the role but just the entitlements.
Also, i know that if the identities received the entitlement via a sailpoint role, then running a campaign on just the AD group (Entitlement) won’t revoke the access cus of the hierarchy structure of access item. But we are just curious as to why a search-based certification campaign that shows 11 identities when when you run the query only end up returning 5 identities when we generate/launch the campaign.
So I think it’s the reverse of what you said is the issue I am having. So basically identities that have the entitlement are 11. However, when we run the campaign, only 5 identities are presented for review. So the campaign is omitting 6 identities and I believe those 6 identities got the entitlement through a SailPoint Role while the 5 identities that are presented for review got the entitlement via AD (manually added them in the group in AD).
My confusion is around if 11 identities have that entitlement, then running a search query on that entitlement and starting a campaign with it shud have provided 11 identities for review in the campaign but in this case, that’s not what is happening.
However from my screenshot below, I’m guessing point number 2 is the reason for the behaviour I’m seeing
