Deleting Entitlements through an entitlement aggregation

Hello everyone,

I have a DelimitedFiles source and I created some entitlements through the entitlement aggregation (ent1, ent2). I also aggregated some accounts with entitlements that are not presents in the entitlement aggregation (ent8, ent9). Theses entitlements are created in IdentityNow.

First question, is it possible to disable this behavior and not create entitlements from account aggregation ?

Second part, I tried to remove the entitlements created through the account aggregation (ent8, ent9) by running a new entitlement aggregation (with only ent1, ent2). The problem is that ent8 and ent9 are not removed and persist in IDN. But if I remove ent2 from the entitlement file the entitlement aggregation correctly removes ent2 from IDN.

In the end, by running an entitlement aggregation with only ent1 in the file I still have in IDN ent1, ent8 and ent9. ent8 and ent9 was created through account aggregation and cannot be removed.

Can you help me on this issue ?

Thank you and regards,

Mathieu Ghosn

Hi @mathieug

Welcome to SailPoint developer community.

If you have IIQ knowledge,

We have promote managed attributes in Account Aggregation task, if you don’t enable that checkbox then Entitlements will not be created. But we don’t have such kind of controls in IDN. Also for delimited file it is not aggregation actually, it is importing the data.

If you don’t pass any values for the entitlement attributes, then it won’t create any entitlements from Account Aggregation.

If you don’t pass any values for entitlement attributes in user feed in the 2nd run, it won’t remove entitlements as those are sticky I believe.

Ya since those are not created through Entitlement Aggregation.

Can I know why you need to restrict entitlements, there is no harm in having them even of no use.

Thanks
Krish

Hi Mathieu,
Like Krishna mentioned - there’s no realy harm in having this entitlements which are most probably there because they got detected on one of the user accounts.

What you can do if they are requestable is - you can select this entitlements in the entitlement tab


and you can just click on remove requestable

this will hide this entitlements in the request center so actually noone apart from admins will see them

Also I’ve just tested that it seems there’s undocumented call (or at least not present in the Postman collection) with DELETE method in the entitlements endpoint and you can actualy remove any entitlement via REST API call

This is the result in my AD Source after executing this call
image

4 Likes

Hi @MVKR7T and @kjakubiak, thank you a lot for your replies!

To explain a little more, we have a lot of disconnected applications, so we compiled all of these applications into a single delimited file source. We have a CSV file containing all the entitlements for each application and a CSV file containing all the accounts. The problem we are facing is that since there is no optimistic provisioning like IIQ in IDN, when we make an access request the account is not created in IDN, we have to do an accounts imort again. Since there are multiple applications in this source, we can’t extract the accounts from a single app to import it into IDN, so we do an accounts extract from IDN delimitedFiles source, add a row for the new account and aggregate it back. If we make a mistake in the spelling of an entitlement when adding the new row, a new entitlement is created. Maybe we are doing things wrong? Do you have any idea how we can handle this?

Regards,
Mathieu Ghosn

Account aggregations will bring in any entitlement that is assigned to at least one user on the source by design. This is for visibility into who has access, and what they have access to, so that it can be remediated via certification campaigns if necessary. You cannot disable this. If an account has an entitlement, the entitlement will be added to IDN each time the account aggregation runs.

The recommendations from @MVKR7T are your best options for handling this scenario.

1 Like

Hello,
This method is no longer available… Any other suggestions to delete an entitlement? It has been created because of a wrong configuration, but it is now no longer assigned to anyone.

Hi

The only other way I know is

  • POST https://{tenant}.api.identitynow.com/cc/api/source/reset/{cloudExternalId}?skip=entitlements
  • POST https://{tenant}.api.identitynow.com/cc/api/source/reset/{cloudExternalId}?skip=accounts
  • POST https://{tenant}.api.identitynow.com/cc/api/source/reset/{cloudExternalId}

cloudExternalId is the 5 digit ID - use GET /v3/sources/{sourceID} to get it

1 Like

Thank you, so which one should I use to only delete the entitlements? I want to keep the rest as is.
Thank you

Hi Veronique,

As mentioned by Jason.

You can utilize the
POST https://{tenant}.api.identitynow.com/cc/api/source/reset/{cloudExternalId}

This will reset your source and remove everything such as accounts, entitlements and access profile but your source configuration will remain same.
After which you can re run the account aggregation and entitlement aggregation again to get things right.

For more information:

2 Likes

Hi @veroniqueb ,

I have faced the same issue in the past for one of the project.

  • POST https://{tenant}.api.identitynow.com/cc/api/source/reset/{cloudExternalId}?skip=accounts

Use this one, if you only want to delete the entitlements from source.

Regards,
Abhinav Mishra

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.