Entitlement Revoke API - Multiple Accounts per source

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

I am trying to REVOKE an entitlement that for someone that has multiple accounts in a source. GRANTing access seems easy enough as I can use this request body to submit the request and pick the account in one action

image
image746×543 14.7 KB

but it does not appear to work when I change it REVOKE_ACCESS as I get the dreaded “you’re right but you’re also wrong…”

image
image817×401 8.43 KB

Anyone know the magic bullet to send when some has multiple accounts in a source? For the record, this doesn’t work either

image
image644×370 11 KB

In fact, I have not een able to get ANYTHING to work to get these entitlements removed. I even tried a targeted Cert campaign with the test entitlements and identities and the campaign doesn’t even see these. It just auto-completes. Anyone have any ideas on how I can removed these?

1 Like
2

I created a support ticket on this as well as it seems like it is some sort of bug to me.

1 Like
3

Hi @BenNelson ,

I suspect either of “requestedFor id” or “entitlement id” is wrong as 400 error says something wrong in request body. Could you please check and try?

4

It is correct as I used the same details on REVOKE_ACCESS as I did on GRANT_ACCESS. I just think that SailPoint doesn’t know what to do with the accountSelection bit as that is not used in revoking access.

The bottom API call is what the UI does behind the scenes when you trying to revoke a single entitlement from entitlement list. At first glance, that request seems to work but when you look at the request details in IDN Search, the provisioning fails due to a null pointer exception and the access remains on the identity.

5

We were finally able to remove the entitlement by first removing it from the target and then running an aggregation. SailPoint support identified an issue in our aggregation logs that was preventing the entitlement from dropping as expected. The root cause was a recently added non-searchable attribute in the correlation logic, which blocked the removal during aggregation, even after the entitlement was removed from the target.

Additionally, we’ve confirmed that entitlements in this state (multiple accounts per source) can now be revoked through a certification, which wasn’t working before the correlation fix. While we wait for SailPoint’s multi-account revoke API (expected by the end of March), certifications appear to be the best available method for removing entitlements in this scenario.

1 Like
6

Hi ben,

I wanted to seek some help on removing the entitlements. I have created the certificate campaign to remove all the existing access when a user turns inactive but for some reason the entitlements are not removed from the profile. Can you help me on what would be the issue?

7

I would make sure they are not getting it from a role or access profile.

8

I was able to remove the entitlements but in the GET identity request will the workflow take more then 100 users to create certification campaign?