Certification of Entitlements that are part of a Role

If a user has Role A that has Entitlements A, B, and C. The user also has Entitlement D. When starting the campaign we want to only review Entitlement D, but it will present A, B, C, and D to the reviewer.

Have you tried a search campaign where you limit the search criteria to just Entitlement D? For example, I can generate a campaign from search that certifies a single entitlement.

The use case here is that we want to review all users entitlements that are not covered by their Roles. So while we could select just one entitlement, there may be another user with Role B that has Entitlement D and we do not want that item to be shown to the manager since they would not be able to revoke it.

In this case we would want to review Entitlement D for user A, but not for user B.

It sounds like the feature you are looking for is to certify “rogue” entitlements (i.e. entitlements not tied to an access profile or role). I don’t think campaign search is robust enough to perform a diff operation like this, especially since each identity will have different roles and entitlements. I haven’t verified this, but I’m doubtful that you will be able to generate a single cert campaign that will certify all rogue entitlements for every identity. It might be possible to make some API calls to find all identities and their rogue entitlements, and then construct individual cert campaigns for each identity with just those entitlements. Obviously, this could result in hundreds, maybe thousands of cert campaigns, which might not be ideal.

In the meantime, can you submit an idea for this?

Idea created. https://ideas.sailpoint.com/ideas/GOV-I-2111

2 Likes