Certifications: Exclude entitlements inherited from IT roles that are part of a Business Role

Which IIQ version are you inquiring about?

8.3

Good day,

Is it possible, in the certification process (manager/target), to exclude entitlements inherited from IT roles that are part of a Business Role?

For example:
Business Role A → IT Role B → Entitlement C, Entitlement D

I want the certification to:

• List Business Role A

• Exclude entitlements C and D (inherited from IT Role B)

• List only other entitlements (not inherited from any role).

Regards.

@Nureen_Govan you can achieve by Exclusion Rule. you can create a method like if it’s part of any business role or birthright role then do not add in certification list.

let me see if i can found some samples for you.

Filter entitlement from bundles - IdentityIQ (IIQ) / IIQ Discussion and Questions - SailPoint Developer Community

Certification Exclusion Rule - IdentityIQ (IIQ) / IIQ Community Knowledge Base - SailPoint Developer Community

you will get some idea from above link. let me know if that works.

When you build/schedule the Manager (or Target) certification:

1. Include Roles
   (so the review shows Business Role A)
2. For entitlements, choose Included Access (a.k.a. “additional entitlements”)
   • This means: entitlements assigned to the user that are not contained in any defined role
   Do NOT select Entitlements
   • Because selecting Entitlements will pull in the role-composed entitlements (like C and D) again.

Result:
• Reviewer sees Business Role A
• Reviewer sees only non-role / “extra” entitlements
• Entitlements inherited via IT roles inside the business role (C, D) are not shown.

But If you must include Entitlements anyway

Then you need a Certification Exclusion Rule to remove any entitlement that is part of any role.

Hey @Nureen_Govan

If my answer satisfies your question, would you marked as solution

If you have more queries you are welcome too

Amr