Community Members - How do you manage the lifecycle of your entitlements?

I wanted to create a topic specific to entitlement management to gather information of how others do it in hopes that we might get some ideas in the community on how we might be able to manage them better.

Respond however you want, but I’m going to break it into a few different categories and describe each

Onboarding
We use ServiceNow to help onboard Active Directory security and distribution groups. The workflow first goes to our team to review, mainly to ensure there is adherence to naming conventions and the description is understandable by the masses. Being able to document an application that it’s linked to would also be helpful.

After the review step, ServiceNow creates the group in AD, waits for the next aggregation, searches for the entitlement, then creates the access profile using the API, setting the owner based on the owner that was requested in the form.

Ongoing Maintenance
When it comes to changing ownership of entitlements and access profiles, we have a ServiceNow catalog item that lets people request ownership changes. If the current owner is active, it sends them an approval request. If they’re not, it sends their manager one, and if the manager isn’t active anymore, it goes to our team for review. After approved, it uses the IDN API to change the ownership of each access item requested.

Offboarding
We don’t have an official process for retiring entitlements, but it typically follows these steps

1. Remove the entitlement from all users

2. Wait a pre-determined period of time to see if it broke anything

3. If nothing was broken, delete the source entitlement and access profile if exists

Main pain points
One thing I feel is missing from this tool is the ability to create certifications for entitlements owners and require them to certify

1. The metadata of a given entitlement (name, description, owner) is accurate

2. The entitlement is still in use and needed

We struggle greatly with both of these, specifically around entitlements in Active Directory.

I would love to hear from the rest of you!

Might be you already tried this: If the entitlement owner you want to certify then why not opting the Certification from search using the query → owner.name:“Admin 1” ← this should allow you to select all the entitlements that Identity owns and then certify it by selecting any one identity from the list of holders of that entitlement to direct the Owner to Certify by selecting him as a INDIVIDUAL reviewer.
This should solve your use case needs for revalidating the needs of that entitlement.

This is interesting @mcheek

We use to manage this using Quicklinks in IIQ, but in IDN we don’t have that feature yet.

We haven’t implemented any process for managing entitlements life cycle, Completely manual work.

Your solution using ServiceNow looks promising, but one concern is that, I don’t like to depend on external apps. I would like to implement all the required solutions using IDM solution itself, if possible using OOTB, if not then custom solutions.

If no OOTB solutions in future from IDN, then I would go for custom web development making use of IDN APIs.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

In case anyone is reading this and is interested in SailPoint providing a solution, I posted GOV-I-3461 in the ideas board, so please go vote for it!