Hey everyone,
We are running a certification campaign in SailPoint Identity Security Cloud (ISC) and we’ve hit a major problem affecting both reviewer experience and provisioning success.
Our goal is to certify only ad-hoc access profiles (APs) that were manually requested.
Our Setup:
Roles grant Entitlements (This is our Birthright access).
Access Profiles (APs) grant the same Entitlements (This is our ad-hoc access).
The Two Major Problems:
Problem 1: Reviewer Overload (Filtering)
Our certification is showing ALL access, including the entitlements granted by the birthright Roles, even though we only want to review the ad-hoc APs.
Reviewers are presented with a huge amount of access they don’t need to review (it’s covered by a permanent Role/Birthright).
How do we configure the certification campaign to only display Access Profiles that are not granted by a Role?
Problem 2: Provisioning Failure (Revocation Conflict)
When a reviewer marks one of the overlapping ad-hoc Access Profiles for removal:
The provisioning task fails because the underlying Entitlement is still actively tied to the user’s Role. ISC tries to remove the Entitlement entirely, which is blocked by the active Role assignment.
What is the best practice in ISC to solve this provisioning logic?
Is there a standard setting we can use to tell the system: “If this entitlement is also granted by a Role, just remove the Access Profile assignment and skip the entitlement removal push?”
This issue is creating noise for reviewers and technical failures for remediation. Any guidance on how to properly separate and manage birthright vs. requested access in ISC certifications would be extremely helpful!