We are currently building certification campaigns for quarterly access reviews and wanted to remove access profiles from the campaigns as the identity only receives the AP’s through a role, so there is no reason to certify the AP. I created a campaign filter that only includes Entitlements and Roles and I am using that filter on the campaigns I create, but for some reason it excludes any entitlements that make up an entire AP.
For example, when we use the AI tool to build roles, it auto creates AP’s based on the common access between the identities in that source, and a lot of times it is just 1 or 2 entitlements. So if an Azure AP is created with 1 entitlement, when I create a certification campaign, it will exclude that entitlement, and instead have it listed in the campaign as an Access Profile. The issue with that is when I use my filter to exclude AP’s, we are missing entitlements in the campaign that should be getting certified. Is this expected functionality? If so, has anyone found a workaround for this?
Based on that verbiage, it is saying the “users” access profile. In my scenario, the user is not getting this AP granted to them through a role or lifecycle state at all.
Let’s say there is an AP in our system that is comprised of entitlements A,B and C, and the user gets entitlements A,B, and C granted to them through separate access requests, even at separate times in their lifecycle. When I create a cert, it will automatically bundle those entitlements into an AP that the user was never granted, instead of just leaving them as individual entitlements to be certified. Hope this helps clarify our instance.
Does this still seem like it fits under the expected functionality of certs? I’m just trying to see if there’s any possible way to leave these entitlements as individual items to be certified instead of them automatically getting bundled and having less visibility in the certification.
HI @mosareini, if users have A, B and C entitlements irrespective of how they have been granted, SailPoint will still consider AP only for review. So, in this case AP with A, B and C entitlements not associated with Role?
No it is not associated to any role, it is a standalone AP comprised of those 3 entitlements. But why is it not possible to keep the entitlements separate and as individual access items? What if we want to revoke access to only one of the entitlements in that AP?
Why would someone who got 3 separate entitlements over the course of a year for example, now get an access profile on their identity that was never requested nor given through lifecycle state? If this is true, then SailPoint has no possible way to certify individual entitlements if they accidentally match the entitlement list in an completely unrelated AP?
Hi @mosareini , few months back we had a call with SailPoint ES team where they confirmed that Ents cannot be certified individually if they are encapsulated in APs or Roles. But I accept with the scenario you mentioned. You can have your idea submitted
Thank you for the insight, I appreciate it! I just didn’t have confirmation on this concept and I’ve been losing my mind running through every possible option to filter down these certs. I’ll submit this idea but won’t hold my breath lol. Thanks again!
What we have noticed that even though you see AP as the detected based on the composition of entitlement .
Now in case you revoke the access profile , entitlements will not be removed . my understanding is since entitlements are sticky in nature so once they removed ia access profile they will provision back in next refresh .
Are these AP’s directly assigned to the identities or are they part of a role that the user is getting via criteria? If you remove an AP from a user who is getting that AP via role criteria, it will give them the AP back anytime you aggregate or run an identity refresh, because they meet the criteria to receive all the access inside of that Role. That seems to be expected functionality for us though, is this the case for you or am I misinterpreting?
My main issue in my post was just entitlements that were granted individually don’t show up individually on Campaign Certifications if those entitlements make up an AP, which is a problem for us when auditing and trying to certify access, have you run into this as well?
we have same issue
entitlements that were granted individually don’t show up individually on Campaign Certifications if those entitlements make up an AP , now when you remove AP via review process , access are removed and then added back in next refresh . As these entitlement are sticky in nature .