My team and I have been asked to create an access certification for SAP. The ask is that they want to break out these reviews out for site owners. Each entitlement can be applied at multiple sites. When we looked into build these certifications we tried to do it by Identities and Access. The challenge we run into is that if we use the Identities we have to manually set the Access to be reviewed. This would lock in the Access to the roles in which we select when setting up this review so if a user is added to another role it would not be reviewed in the next review. If we use access we get the same issue but with Identities’.
I was wondering if anyone else has had this kind of requirement and how did you solve for these more complex reviews? For scale it could be any combination of 300+ entitlements per site. And each site has its own reviewer. This we are looking Governance Groups to address. We are struggling with make the list populate dynamically without have a dedicated resource to be able to modify these reviews each time it is run.
My team is only 5 members and each one of us play a different role in maintaining ISC so we do not have the bodies to be able to baby sit access certifications. All and any ideas welcome.
Here is what I might do if you can’t use governance groups or something simpler to address. I would use the SDK/API to write a program to:
Read in a file with the location ids and the reviewers
Use the entitlements API to pull all of the entitlements associated with SAP
Iterate through the response to create a list of all of the ids of the SAP entitlements.
In the program, I would have stored the basic body of a search-based certification campaign
I would insert my saved list of entitlement ids from above into access constraints section.
I would use the search to find the id for the reviewer. I would insert that into the reviewer field.
For the search itself I would create a search for all identities at a particular location.
Once my campaign body is complete, I would create the search campaign.
Then I would go back step 6 for each additional location and create a campaign for that location.
This seems like a lot of work upfront; but if you have a create many campaigns, it will save you time in the future. For each certification period, you will only have to update the locations list and the reviewers.
Since the desire is for individual campaigns, the other big win with a scripted process is you can ensure the auditors that the campaigns are identical with only the specific variables being adjusted.
Thank you!!! I will share this with my leader. For this use case a more advanced user with ISC with a developer background is required. Again thank you for confirming this.