We’ve been asked to monitor a specific entitlement with specific outcomes:
Monthly report on which account it was assigned/removed, including timestamp
Email specific group when it is assigned to anyone
I was hoping Access History had an option for #1, but it is focused on Identities and their history. Instead, I plan to enable Native Change Detection and create a search for update events which contain this entitlement name. I imagine this is common but haven’t found an example (will share mine if it works out).
For #2 I think creating a workflow is the best option, since Native Change operations are supported triggers. I am having trouble with the JSON for my trigger though:
Hi David,
You can use the below Search query which returns all the passed events for the specific entitlement for the last one month. Select the required columns in the results and save it, then subscribe it monthly to the specific group whom you want to send an email. So that it will be automated and periodically send the emails to the group of recipients.
"Entitlement Name" AND (operation:"ADD" OR "REMOVE") AND status:"PASSED" AND created:[now-1M TO now]
You can also customize the query based on your requirement.
You can leverage workflow capabilities in this case. You can use provisioning completed trigger and use the filter on entitlement of your choice as well as result. You can apply additional filter based on your requirements.
From the trigger, you can get almost all the information to monitor that entitlement as well as the identity information and can notify specific group with “Send Email” action. Triggers - SailPoint Identity Services.
Thanks for the responses @suresh4iam & @kdfreeman. I realize I neglected to include an important detail: these entitlements are not managed/provisioned by SailPoint, we are looking at native changes on the source.