Exclude Entitlements and BirthRight ROle from certifications Campagain

Hello,

I would like to exclude entitlements and certain technical roles from a certification campaign.

To do this, I built the following query filter:

((NOT _exists_:privileged) AND (@accessModelMetadata(key:"roleRoleTechnique" AND value:"oui")))

• NOT exists:privileged: excludes entitlements
• @accessModelMetadata(key:“roleRoleTechnique” AND value:“oui”): excludes technical roles

The issue I’m facing is that when I use @accessModelMetadata, access profiles are also being excluded — even though they shouldn’t be — because accessModelMetadata is not part of the access profile data model.

I tried combining the @accessModelMetadata clause with conditions to check for access profiles field, but access profiles are still being excluded whenever @accessModelMetadata is present.

I’m currently considering using tags as an alternative, but that would require significant updates and administrative work.

Any idea ?

you would like to do all APs certification campaign to all identities? or you need to refine identities and APs as selective?

For all campaigns, we would like to add all access except :

• Entitlements
• Technical Roles (for that we added a metadata to tag them)

In our campaign configuration we begin to select access items and applied provided filter above.

Regarding Identities scope will depend of each type of campaign and this work.

Hello @baoussounda

This is due to the use of NOT with exists keyword as the search returns access items and identities with access items. Privileged is a boolean flag for entitlements and therefore make use of it in defining search query – either value as false or true. Also, make sure you are mapping the key and value with the right field (like key is the technical name of the attribute and name is the display name of the attribute)

Hello @jainanimesh

The filter : (NOT exists:privileged) work perfectly and exclude entitlements because privileged key is not par of Role and Access Profile.

The filter : (@accessModelMetadata(key:“roleRoleTechnique” AND value:“oui”))

Also work correctly but not excluded access profiles

try this query so that it excludes APs…(@accessModelMetadata(key:“roleRoleTechnique” AND value:“oui”)) AND NOT(type:“ACCESS_PROFILE”)

type key is not searchable Searchable Fields - SailPoint Identity Services

omg, I have not realized thanks

In that may be we need think requestable key if you have APS all non requestable. not sure need to check just thinking like that.

Before I already tested with entitlementCount Keys but the main issue came from @accessModelMetadata(key:“roleRoleTechnique” AND value:“oui”))

For example :

(@accessModelMetadata(key:“roleRoleTechnique” AND value:“oui”) OR exists:entitlementCount )

Does not work.

But If I remove @accessModelMetadata(key:“roleRoleTechnique” AND value:“oui”)) its work.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.