8.4
Hi Experts,
I would like to know if it is possible to update AD entitlements—such as the “description” attribute—through SailPoint’s Entitlement Catalog. I noticed that after editing the description in the Entitlement Catalog, the updated value is not being provisioned to Active Directory.
Is this the expected behavior, or am I missing a required configuration?
Hi @Bernardc
Yes, this is expected behavior in SailPoint IdentityIQ (IIQ).
When you edit the description of an entitlement in the Entitlement Catalog, you’re only updating IIQ’s metadata (i.e. how the entitlement appears inside IIQ). It does not automatically provision that updated description back to the target system.
Hi @Bernardc
As per my understanding, the description field in the Entitlement Catalog is not automatically mapped back to the target system (Active Directory) for provisioning updates.
Instead, its primary purpose is for display within the IdentityIQ UI. This supports different languages and provides certifiers and approvers with business-friendly display names and descriptions for raw groups/entitlements.
The description is an attribute of the ManagedAttribute object. The ManagedAttribute object, which represents an entitlement for governance, primarily stores metadata such as its display name and the description you are seeing.
Regarding character length: While the description field in IIQ has a character limit of 1024 (which often matches AD’s limit), this only means that the description is updated one-way during aggregation. There is no automatic synchronization back to AD if the description is updated from the IIQ UI.
Therefore, it is indeed the expected behavior, to my knowledge, that modifying the description in the Entitlement Catalog does not automatically provision that change to Active Directory.
Let’s wait for expert feedback on this matter.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
