Establishing entitlement precedence during collisions for roles

Working with a SailPoint developer today, we demonstrated that when a source has an entitlement type which is not multi-valued, when the situation arises that a user is assigned (or requests) two roles which share the different values for the same entitlement, Identity Refresh just sort of makes a wild stab at the best role.

I’ve submitted an idea that I think would address this AND unlock a new feature for role designers.

Introduce PRECEDENCE to provisioning | SailPoint Ideas Portal

If there were a precedence flag (integer), identity refresh could perform comparisons when collisions occur, or simply evaluate entitlements in ascending order, resulting in the client-preferred entitlement being assigned and preventing multiple calls to the source during identity refresh.

I think this would present some cool possibilities for our role designers. They could give large business roles with the “minimum” rights, and then add “upgrades” which could be given higher precedence when promotions occur, or simply create add-on roles which change these singular entitlement values appropriately.

I’d also propose a default scheme - that roles/access profiles/entitlements which are sticky be evaluated in creation-date order, with precedence going to newer items when the same level of precedence occurs.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.