I went through the Coupa SaaS Connector documentation - Integrating SailPoint with Coupa SaaS. Various coupa entitlements like roles, content groups, account groups, approval groups and user groups are supported for aggregation and provisioning.
But how do we manage Coupa user license updates? Coupa license assigned to the user is based on the the boolean value (true / false) for this license attributes in user’s profile. Let’s say during creation a default license is set up and I define it through provisioning policy, how do I add / remove other licenses via access request? Appreciate the insights.
I haven’t worked on Coupa connector, but in generic terms, these kind of scenarios where when a specific profile is requested, a set of other profiles to be revoked can be achieved using workflows.
Here is what I would suggest for workflow:
Mark the license attributes in account schema as type entitlement such that they get promoted during account aggregation.
Define access profiles for both true/false values for each type of licenses.
Create a workflow with Trigger as Access Request Decision → Verify the submitted request contained one of the license related access profile and is approved
Use get access step to get all the access profiles of the user
Use a loop step with an input filter of only access profiles specific to the application and with the naming convention of access profile lets say starts with Coupa and ends with license → indicating the access profiles of Coupa licenses
Inside the loop perform revoke action of the respective access profile(contains False value one) using Manage Access step.
P.S: Make sure you perform an exclusion for revocation for the recently requested license.
Unable to define it as an entitlement will be a blocker as you cannot make it requestable as an entitlement or access profile.
But, I don’t think that is the case here. The type of attribute is defined as boolean and hence you won’t be able to define it as entitlement, but you change the attribute schema type to String and then mark it as entitlement.
Usually, connector still supports this transformation. We did the similar way for one of OOTB connector to make it as an entitlement. You can try the same and update how the aggregation goes after you change the type.
I am unsure why you chose the SaaS connector. But, in case you are going with the VA based Coupa connector, you can also use Before prov rule to make similar changes instead of workflow. I would prefer workflow approach as it gives you the control, but in case you do not have workflow license or any such, before prov rule can be utilized to achieve the same.
Thanks @uday_kilambiCTS for the suggestion! Marking the attribute as entitlement is showing the below prompt. And I don’t see a flexibility to define a new entitlement type in the Coupa SaaS connector. How do we proceed here?
You do not need to define an entitlement type, it can be of type string only. When you run an aggregation, all the unique values of the attribute, in this case TRUE and FALSE will be promotes as an entitlement by the account aggregation task.
Were you not able to change the type to String? Or even after changing the type to string, you were unable to mark it as an entitlement? Which was the case here.
I was able to change the type to string and marked the specific attribute as entitlement but post account and group aggregation the values for the attribute didn’t get imported as an entitlement.
That is strange, if the attribute is marked as an entitlement, it should be promoted as an entitlement after account aggregation. You can try executing unoptimized aggregation.
If it still doesn’t work, can you post a screenshot of the schema configuration of this attribute and any user account where this value is represented as an attribute rather than entitlement.