In my opinion, you depending upon your use-case, if you need it one time certification, then you can setup the certification campaign using below query
For Emplolyees –> Campaign 1
(_exists_:manager) AND @access(source.name:“SOURCE NAME”)
For contractors –> Campaign 2
NOT(_exists_:manager) AND @access(source.name:"SOURCE NAME")
For both the campaigns then you can refine access to include only access from this source.
For campaign 1 then you can setup manager as the reviewer.
For campaign 2, it could be tricky to setup the privilege owner as the reviewer considering that SailPoint has recently launched a feature for additional owners so not really sure how that will work if you try to set the privilege owner as reviewer. By default i am not sure if that will be possible.
Only other option i could think of is using workflow where you run the second query and see the access assigned to the user and get their entitlement owner and assign the owner as an individual reviewer.
So, as stated in the description the certification is for only four entitlements on the source. Each privileged entitlement has a different owner, so I cannot easily assign to a specific person.
Also, I am only looking to set up one review as (over time) this will need to be done over 100+ applications, so there is an administration component to this as well.
The organization at this time is only certifying privileged access and not doing a full source review.
Thank you for the clarification.
As per my understanding, in this case you will require multiple attestation campaigns based on different reviewers privilege owners and managers.
Using workflow you could achieve it and then later you will have to create another workflow to cleanup the certificate templates once the campaign is over. The cleanup workflow you could create based on the campaign deadline and status. If the campaign is already closed and signed off then you could perhaps delete it.
Adding to @vguleria ‘s solution, a clean implementation could be to use:
Internal users with manager campaign -
A single Search campaign using the identity query _exists_:manager AND @access(source.id:<source-id>) and selecting the 4 entitlements from the access list. These identities can have their manager as the reviewer for the selected access.
External user with no manager campaigns -
For each entitlement, a Search campaign is created:
The identity query NOT (_exists_:manager) AND @access(source.id:<source-id>)and selecting a single entitlement from the access list
The individual reviewer can be set to the entitlement owner for the selected entitlement
This will need to be scaled as more entitlements/access are reviewed.
Another approach would be to use an ISC workflow to iterate over the campaign certification items to reassign the reviewer to the entitlement owner. However, the implementation would depend on several factors such as the expected number of identities without managers as well as the limitations of the loop operator and certification reassignment APIs.
@michael_mckeehan You can create the certification campaigns in Preview first and assign yourself as the reviewer. For these four entitlements, keep yourself as the reviewer, generate the campaigns, and then reassign the access items to the correct reviewers later using Postman in the preview state.
I think the problem with this is that there are managers that will need to review their people. Also, this will not scale well and is not repeatable. I may just need to accept this limitation of ISC and create 2 certifications. One for the manager, and one for the entitlement owner.
For those of you who may be following this thread here is the current solution.
Reiteration of the problem statement:
I have 4 entitlements - A,B,C,D
I need to review all access on the entitlemetns
Each entitlement has a different owner
Entitlement owners are assigned to the entitlement
Each entitlement has a mix of internal and external users
With the current company structure, the external users do not have a manager
Review 1
I can set up a manager review for the internal employees who have a manager in the identity profile. I can set up a review for all 4 entitlements, HOWEVER, I will have to individually remove all the external users from the review
Reviews 2-5
I will need to set up a separate review for each entitlement, and when I set this up I will need to select the owner of the certification because entitlement owner is not an option (screenshot for proof)
While this is not optimal for this source, it is doable. We do have another source though that is in the same boat, but will have about 60 entitlements that we need to review, plus the eventual AD and Entra privileged role reviews.
