I still have some business access scenarios that are not being handled well in IDN.
These relate to IDN’s inability to manually manage access by non admins.
I have a SailPoint idea posted below, but the gist is that;
while we wish it were the case, not all access scenarios fit neatly into either role criteria or access request.
Sometimes an arbitrarily managed list is required. And currently that list can only be managed by an admin. There is not a lower scoped permission that can manage the idenity list on a role.
The idea above doesn’t have alot of votes, So I’m asking how others are dealing with those items that dont fit neatly into role criteria/access request?
I have users who are AD Group owners today that are managing the memberships of their groups (and only their groups) just fine.
Last time, I just pushed them to the end of the migration list. But they are going to show up again soon…
I really need to try and find a solution here vs telling them that the new tool “can’t do that”…
you can add entitlements to roles when role criteria does not fit, this provide granular access control than roles alone. And as we know we do have approval flow. I mean just create role and add ents followed by approval to have special care on this. Even we can configure workflow that allows organizations to handle access requests that may require special consideration or fall outside of standard role criteria.
I think there is some confusion. I am talking about this Identity-List as how a role’s membership is populated.
Today, I have non admins managing access to low level things they have been declared as the owner of (AD Group owner can manage the members of that AD Group). This is semi easy via a tool like “Active Directory Users and Groups”, and extremely easy for AAD Groups using the web pages provided by Microsoft (https://mygroups.microsoft.com)
There is currently no equivalent in IDN as far as I know.
may be we can utilize this other than roles:
source owner can be owners of specific sources within ISC who have authority to complete provisioning or certification tasks related to those sources. here we can say that individuals with expertise or responsibility for particular systems can handle access related tasks without needing full administrative privileges.
Currently each of these people manage a handful of groups. Each can only manage those groups that they are the owners of.
I cannot make them a Source owner of Active Directory or Azure Active directory.
I believe this would make them able to edit any memberships.
I cannot believe our organization is unique in wanting to occasionally have owners manage things themselves directly without using access requests. It is very easy to do (and common) in other systems, so I’m hoping some other organizations have thought about this…