Dynamic Group for approval process

Hello guys,

How can I create a dynamic group linked to a Active Directory Group for Workflow approval on IdentityIQ. If it’s not possible, how on IdentityIQ can I create a dynamic group with a member rule by a specific user department for example.


The way I’d suggest tackling this would be to make a Workgroup the Entitlement Owner for the AD group and use the Loopback Connector to manage the Workgroup members via birthright role assignments: https://community.sailpoint.com/t5/Professional-Services/IdentityIQ-Loopback-Connector/ta-p/172364

Hello Brian, thanks for the answer.
After installing the loopback connector, I would like to make a scim rest call to add/remove users in the group but the json I am using is not working, could you help me please?
This is my call.

@icaro_serpeloni - To add/remove users in the group via API, you would want to leverage the launch- workflow API and submit a provisioning request/plan: launch-workflow | SailPoint Developer Community

However, your original post (and my recommendation) was built around letting IIQ manage the workgroup membership automatically using an IIQ Role to assign the workgroup to Identities based on belonging to a specific AD group. To accomplish that, you’d manually create the Workgroup in IIQ and assign it as the Entitlement Owner for the desired entitlement. You would then go create a new Birthright role in IIQ and use the Assignment Rule to determine who should be assigned that role, and the Entitlements would have your Workgroup.

Here is a basic example of provisioning a PRISM entitlement (but could be an IIQ Loopback entitlement as well) based on being assigned to a specific LDAP group (but could also be more complex, including a custom Beanshell rule):

1 Like