Entitlement SOD vs Effective Entitlement SOD policy

IdentityIQ (IIQ) IIQ Discussion and Questions
, , , , , , ,
1

Hi all,

What is the difference between Entitlement SOD policy and Effective entitlement SOD policy. The only difference I can find is the Target Permission option in the Entitlement SOD policy. What is this Target permission option.

Thanks in advance

2

In SailPoint IdentityIQ:

Entitlement SoD Policy

  • Checks conflicts between entitlements themselves (e.g., two AD groups or roles).
  • Evaluates what entitlements a user has on their accounts.

Effective Entitlement SoD Policy

  • Checks conflicts between the permissions/actions granted by those entitlements.
  • Evaluates the effective permissions a user gets from roles or entitlements.

Target Permission (in Entitlement SoD)

  • Lets you specify a specific permission inside an entitlement that should be evaluated for the SoD rule.

:white_check_mark: In short:

  • Entitlement SoD → checks entitlements/groups/roles
  • Effective Entitlement SoD → checks permissions resulting from those entitlements.
3

@naveenkumar3 How can IIQ evaluate a specific permission inside an entitlement. Isn’t is just an object (ManagedAttribute)?

Can you please elaborate with an example?

4

@rishavghoshacc

Effective Entitlement SOD Policy → I yet to try it out but it seems this is being used to compare all direct/indirect/nested assignments. If assignment mode is different like entitlement access request, or via roles, regular polices will not be able to flag. While Effective Ent SOD calculates the “Effective” state: “Regardless of how it got there, does this Identity currently possess Ent1 and Ent2?" It reads all these details from IdentityEntitlement.

I believe you can also achieve this in Advanced Policies.

Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(:heart:,:+1:, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.