Is there a way to check if an Access Profile has been detected or was assigned through the request process for a given user.
I don’t see anything in the UI, but I’m wondering if there is an API call I can make that would show whether a give Access Profile was detected or assigned for a user.
You can just type the name of the access profile into search
“Access profile name”
This will return identities that have it assigned, this can also be done via API if you need to use the data for another process.
Hope this helps.
Hey Anthony,
Access Profiles can be assigned to a user a few different ways.
An Access Profile can be assigned to a user because it’s tied to a role in which the user matches the assignment criteria.
An Access Profile can be assigned to a user because it is a “requestable” Access Profile and it was requested for the account at some point.
An Access Profile can be assigned to a user because the entitlements within the Access Profile were already assigned to a user prior to the creation of the Access Profile. In this case the user has the Access Profile because the matching entitlements were “detected.” In this case the given Access Profile was not assigned through role membership or through the request process.
I am trying to understand if there is any property I can look at (most likely through an API call) that would tell me if a given Access Profile assigned to a user was assigned through option 3 as opposed to option 2. (I can rule out option 1 by simply checking if a user has a corresponding role)
Hey Nick,
For that particular use case, I haven’t seen one - I’m not sure that Sailpoint makes any distinction between a ‘detected’ access profile to one that was requested - however I will have a look its an interesting one to have a solution for.
Tony
Hey Anthony - thanks for checking.
We are curios to know because when an Access Profile is “detected” rather than assigned through a request, that means if someone removes the entitlement at the source then the Access Profile is also removed as a result.
If an entitlement is assigned through a requested Access Profile, and someone removes the entitlement at the source, then SailPoint will put the entitlement back automatically.
Initially our team was not aware of this distinction, and we would like to review any cases where Access Profiles have been assigned via detection and determine if we want to rerun these through the request process somehow. In most cases we would want SailPoint to re-apply an entitlement tied to an Access Profile if it’s removed at the source.
HI @naleksandrowicz,
Could you please try below query?
@accountRequests(attributeRequests.name:detectedRoles AND attributeRequests.value:"<access profile name>" AND attributeRequests.op:Add)
It should give you the account activity for assigned Access Profile through Request. As I checked I don’t see any account activity when Access Profile is assigned through detection.
Thanks.
Thanks Nikhlesh! - This is helpful.
I can compare the list of APs returned with that search query to the list of users with the current APs assigned to figure out who received the AP through “detection.”
I don’t think this statement is correct .
Thanks Vishal - I will be testing this today to see if that’s how it’s working or not.
I am basing that claim based on the below discussion.
There is a chance I misinterpreted the response in the below discussion, or perhaps I got bad information. Either way, I will be testing this today.