Difference between Requested and Detected Access Profiles

naleksandrowicz · November 13, 2024, 4:31pm

We are on boarding a new request able Access Profile.

The Access Profile is pointing to an entitlement that is already assigned to a large group of users. Because of this, after we create the Access Profile, this group of users will automatically be granted the Access Profile through the detection process.

Do we gain any advantage by taking these same users and requesting the same Access Profile through the request portal which is already assigned?

Is there any difference between and Access Profile that is requested vs detected - as far as available functionality once it’s been assigned?

This link: (Managing Access Profiles - SailPoint Identity Services) says the following:

“Detection, when it is determined during identity processing that a user has all of the entitlements associated with an access profile and the access profile is granted automatically. At that point, they are no longer considered to have the entitlements individually, but instead have the access profile.”

What are the ramifications of the system not considering the entitlements to be a part of the user?

It’s our understanding that Access Profiles that are either requested or detected can both be certified, so it doesn’t seem like it would matter from a certification standpoint.

arjun_sengupta · November 13, 2024, 5:09pm

Hi Nick,

There is no added advantage. Adding the access profile again will try to provision the user to the group which will not get processed as the user is part of the group.

The main difference between access profile and entitlement is:-

If the user is removed from backend , the access profile will get removed even if it was requested in IDN.
If the entitlement was requested though IDN, and the user’s access is removed from backend, IDN will try to re-provision the access.

Regards
Arjun

naleksandrowicz · November 13, 2024, 6:33pm

Ok - those differences are important enough for us to consider.

If someone were to remove the entitlement on the backend and the user belongs to an Access Profile, we would want the Access Profile to add the access back.

Thank you for the clarification

naleksandrowicz · November 13, 2024, 6:37pm

To clarify - we will be building a new entitlement in our source and forcing the entitlement assignment through access requests (rather then using the original entitlement).

This way if someone removes the entitlement on the backend - SailPoint will put it back.

arjun_sengupta · November 14, 2024, 3:45pm

Hi Nick,

Yes.

Regards
Arjun

Topic		Replies	Views
Does IDN detect roles like IIQ? ISC Discussion and Questions identity-security-cloud , roles	4	455	December 31, 2023
Access Profiles ISC Discussion and Questions identity-security-cloud , provisioning	4	367	January 28, 2024
Detected Access Profile not Removing from Identity ISC Discussion and Questions identity-security-cloud , access-profiles	6	79	November 18, 2024
Entitlements into Role ISC Discussion and Questions identity-security-cloud , provisioning	2	36	January 4, 2025
Right-Sizing entitlement membership after creating a role ISC Discussion and Questions identity-security-cloud , roles , entitlements	6	292	April 26, 2024

Difference between Requested and Detected Access Profiles

Related topics