I am working on integrating GitLab with SailPoint IdentityIQ and have a specific requirement during the entitlement request process. When a user requests a GitLab entitlement (e.g., access to a project), I want to ensure they must also select an Access Level (e.g., Guest, Reporter, Developer, Maintainer, Owner).
From my understanding, this may require a custom entitlement request form that will be tied to Provisioning when requesting entitlement. Any input or reference to docs etc will be appreciated.
In OIM, I could achieve this through child Forms.*
You may want to check if your requirements can be met using a role provisioning policy or application provisioning policy. These options allow requester to enter additional information for attributes that will be provisioned along with the entitlements.
No, the requirement is to capture Access Level Attribute when requesting entitlement. This is a very basic usecase, I do not believe sailpoint just missed to consider it. Workarounds can be done but that done not make sense. How others might have implemented the similar cases ?
Only option would be either you invoke the custom form during request submission by modify LCM provisioning workflow .
Or you need to create a separate quicklink.
I have also worked in OIM , but here its quite different in Sailpoint .
I think it can be done using application provisioning policy . There you can put the field " Access Level" and put values accordingly . Mark it as “Review Required” . Once user will raise the request , Form will be visible where user would have to select this value . And it will get added in to Plan . I think it should solve your issue .
Access Level is not account Attribute but Entitlement Attribute. For Example when requesting two entitlements in a request I may have once Ent Access Level as Developer and other as Maintainer. So It does not make sense to capture information at account level policy.
Oh ok , Understood . If i am getting the scenario correctly , it is kind of dependency . Lets say if user is accessing for “ABC” entitlement then user should have “DEF” entitlement as well . it can be done via roles . we can put an assignment rule in a role where condition would be that user is having link in this application and having “ABC” entitlement . and we can put the “DEF” in IT role .
After the refresh with role specific check , as soon as “ABC” entitlement would be provisioned the user , our assignment rule will return true and it will assign “DEF” Entitlement .
Its just an idea , it might be complex and comes with number of combinations .
Second Approach More feasible as per your requirement - In LCM workflow before initializing the access request on the basis of the condition specific to this application , we put one more step with custom Form where we can gather the value from user and add these in provisioning plan .
See if it can be handles using above approach . If not , we can brainstorm further.