Entitlement import not create entitlement in Active Directory

Bernardc · February 25, 2025, 4:01am

Which IIQ version are you inquiring about?

8.4

Please share any images or screenshots, if relevant.

Hi Experts,

I am trying to create entitlements in Active Directory in bulk using the “Import” feature available in the “Entitlement Catalog.” However, I noticed that while the entitlements appear as imported in the SailPoint portal, they are not created in Active Directory. I would like to confirm whether this is a supported feature.

# type, application, attribute, value, displayName, iiqElevatedAccess, owner, requestable, classifications, unixEnabled, isRequestableFromWebService, mailEnabled, approvalType, firstApproverWorkgroup, secondApproverWorkgroup, worker, isSystemAdminAccess,entitlementBadgeType, accessReviewInterval, additionalAttributeChange, additionalKeywords, genericOrSystemAccount
group,AD,memberOf,"CN=BatchRequestEntitlementTest3,CN=Builtin,DC=xxxdemo,DC=info",BatchRequestEntitlementTest3,FALSE,Owner-11,TRUE,,,,,,,,,,,,,,
group,AD,memberOf,"CN=BatchRequestEntitlementTest4,CN=Builtin,DC=xxxdemo,DC=info",BatchRequestEntitlementTest4,FALSE,Owner-11,TRUE,,,,,,,,,,,,,,

Arpitha1 · February 25, 2025, 4:15am

Hi @Bernardc Can you try to create entitlement through Entitlement Catalog UI with the value ‘CN=BatchRequestEntitlementTest4,CN=Builtin,DC=xxxdemo,DC=info’ ? See if you encounter any error. Perhaps Builtin would be OU instead of CN, but it varies based on your container.
Also, In my view - Group DN and sAMAccountname is mandatory attributes. But you can validate this when you try to create entitlement through UI.

Bernardc · February 25, 2025, 4:23am

Hi @Arpitha1 ,

Create single entitlement using “Add New Entitlement” button is fine (using same value as in previous csv), it provisioned to the AD.

Arpitha1 · February 25, 2025, 4:26am

OOTB AD Group Provisioning Form, Group DN and sAMAccountName is mandatory. have you updated those while creating new entitlement ?

Bernardc · February 25, 2025, 4:31am

Hi @Arpitha1 ,

Does this mean that I should add these two attributes to the CSV file header and provide the respective values if using import feature?

Arpitha1 · February 25, 2025, 4:33am

Yes, with columns distinguishedName and sAMAccountName respectively. (distinguishedName represents Group DN)

Bernardc · February 25, 2025, 5:51am

Hi @Arpitha1 ,

Unfortunately, it shows error below error if add sAMAccountName or distinguishdName in the header of the csv file.

# type, application, attribute,sAMAccountName , value, displayName, iiqElevatedAccess, owner, requestable, classifications, unixEnabled, isRequestableFromWebService, mailEnabled, approvalType, firstApproverWorkgroup, secondApproverWorkgroup, worker, isSystemAdminAccess, entitlementBadgeType, accessReviewInterval, additionalAttributeChange, additionalKeywords, genericOrSystemAccount
group,AD,memberOf,BatchRequestEntitlementTest4,"CN=BatchRequestEntitlementTest4,CN=Builtin,DC=xxxdemo,DC=info",BatchRequestEntitlementTest4,FALSE,Owner-11,TRUE,,FALSE,FALSE,FALSE,Defined Approvers,,,TRUE,FALSE,All,None,,,FALSE
group,AD,memberOf,BatchRequestEntitlementTest6,"CN=BatchRequestEntitlementTest6,CN=Builtin,DC=xxxdemo,DC=info",BatchRequestEntitlementTest6,FALSE,Owner-11,TRUE,,FALSE,FALSE,FALSE,Defined Approvers,,,TRUE,FALSE,Blue Badge,None,,,FALSE

Arpitha1 · February 25, 2025, 6:16am

Hi @Bernardc

I apologize for the confusion. I attempted to replicate this issue on my local setup, and it appears that the entitlement has not been created at the target.

Additionally, distinguishedName and sAMAccountName are not required, as they are identity attribute and display attribute of the Group Object.

I will investigate further to resolve this issue and will inform you if I find a solution.

Bernardc · February 25, 2025, 6:19am

Hi @Arpitha1 ,

Much apricated it!!!

Jose_Perez · March 1, 2025, 11:04am

@Bernardc ,

What is the name of the Active Directory application defined in IIQ?
Is it “AD” as in your data file?

PJain · March 1, 2025, 10:41pm

I have similar use case. I want to build a custom quicklink and form to create AD groups. Does anyone know how to create a quicklink/form for creating entitlements?

Bernardc · March 4, 2025, 11:58am

Hi @Jose_Perez ,

The application name is corrected.

Jose_Perez · March 4, 2025, 12:09pm

Did correcting name fixed it?

Bernardc · March 5, 2025, 1:10am

Hi @Jose_Perez ,

Unfortunately, nope…

Bernardc · March 13, 2025, 9:37am

Hi @Arpitha1 ,

Do you have any updates on your end?

Arpitha1 · March 14, 2025, 6:59am

Hey @Bernardc unfortunately, I don’t have an answer at the moment. I encountered a similar use case and reviewed the connector code. It seems that Entitlements are being updated directly within SailPoint, but I’m unsure if this will reflect on the target system. I’ve already raised a case with the SailPoint team, and I’ll keep you updated if I receive any confirmation on this.

Arpitha1 · March 21, 2025, 5:12am

Hi @Bernardc SailPoint team has confirmed that, it’s a product bug and they created ETN IIQETN-12189

MuhammadMustafa · March 26, 2025, 10:47pm

Thanks a lot, @Arpitha1 for communicating with us, it’s a product bug and Sailpoint released an ETN :), appreciated!

Bernardc · March 27, 2025, 2:59am

Hi @MuhammadMustafa ,

Do you have that particular release’s link? Much appriciated.

MuhammadMustafa · March 27, 2025, 8:55am

Hi @Bernardc, unfortunately no, I don’t have it, but maybe @Arpitha1 can help here, or you can reach-out to the support directly to send that to you.

Have a nice and great one!

Regards,
Muhammad