Hi All,
There are two Access profiles 1 (E1,E2,E3) and Access Profile 2 (E1).
Requested Acess Profile 1 through access request. Due to detection, Access profile 2 got automatically assigned to the identity. Then revoked access profile 1 through certification but access profile 2 is still attached. Is this expected behavior? .
@kani1 Yes, it seems like it is expected behavior.
Its not best practice to have same access in two different Access Profiles. Its a policy violation.
2 Likes
Hi @kani1
Good day!
Please check the RBAC criteria, if the access profile (Access profile 2) is granted based on role membership criteria, it will automatically be reassigned during the next identity refresh process.
Thanks.
3 Likes
Hi @kani1 ,
Greetings of the Day!
Its not best practice, if you removed Access profile (E1,E2,E3)from certification campaign Access profile (E1 )is remains like that … If you remove from Manager account Access profile (E1,E2,E3) both it will remove .Hope you are clear
Thank You
2 Likes
if the E1 is removed through the certification, how come the Access profile is still showing on the identity. Isn’t access profiles supposed to be not-sticky ?
@kani1
Not expected behavior, we had recently opened a ticket with Sailpoint regarding the same and they mentioned that both APs will be removed in above mentioned scenario.
Sailpoint Response
Please create them as a roles. Roles are enforced until intentionally revoked.
AP’s are treated as convenience mechanisms for provisioning (both for adding and removing). We make no distinction between an AP that was requested vs one that was detected based on existing access, so we have no way to know not to revoke that overlapping entitlement.
Thanks
2 Likes
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.