Hi All,
We have to create new a birth-right access profile since an existing entitlement on the current access profile needs to be removed. This access profile is related to an AD source.
We would like to know if there is any impact on existing users such as if SailPoint will create account/add entitlement operation for all existing users, etc.
What are the best practices we could follow.
Appreciate any help on this please.
Hello, will the new AP be the part of the same birthright role as old AP?
Do you want to have users not inherit current AP anymore (if that AP contains only 1 entitlement that needs to be removed too), and then place a new AP in the same birthright?
If you just add new AP in the same birthright, all users falling under the criteria of birthright will be granted that AP and entitlements from that new AP (accounts will be created for users who didn’t have account on the same source, and entitlements from that new AP will be added for existing accounts for identities fulfilling the birthright criteria).
If you just remove entitlement from the existing AP and do processing, identities will still have that entitlement, it just won’t be associated with that AP (I believe it works like that, cannot say 100%).
Hi @Madhurimapati,
I believe it works the way that @markomanium mentioned.
However, if you want to remove the older entitlement. You can update the role criteria so that the entitlement is revoked from users, then make the necessary changes to the access, and finally revert the criteria back to its original state. This approach will successfully revoke the entitlement, but it will also cause other entitlements tied to that role to be revoked during the process.