Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.
Please consider addressing the following when creating your topic:
We have a requirement to have the Entitlements of a specific application to be certified. When we generate certification from Search post selecting the respective entitlements from a query based, it gives option to select all identities(active/inactive) or manually select the identities. Manually selecting is not recommended for us.
Is there any way to filter out inactive identities and consider only active identities who lifecyclestate is A.
Or if we select identities first, is there any way to select only the application specific entitlements
@SayanthBR If you’re navigating through Search UI > Certification Campaigns > Identities > All Identities Returned by a Query, you’ll see a search box where you can define the scope of identities to include in the campaign. To ensure only active identities are considered, you should prefix your search query with: attributes.cloudLifecycleState:“active” AND <your existing access related query>
This will filter out inactive identities and include only those whose lifecycle state is marked as active.
Note : Be sure to adjust the cloudLifecycleState value to match whatever your organization has mapped as “active” users. Some setups might use different labels like "Active" or "Enabled" depending on how lifecycle states values are configured.
Also, if possible, could you share the search query you’re currently using and the type of certification you’re creating. Please feel free to redact any sensitive access names or application details.
You’re right @SayanthBR. That’s the current limitation with ISC certifications.
If you go with Identity-based certification, you can filter identities (like attributes.cloudLifecycleState:"active" AND manager.name:"<id of manager>"), but then all access items for those identities get pulled in, and you’d have to manually refine the application entitlements/access profiles/roles each time.
If you go with Access-based certification, you can target specific entitlements (like only Active Directory), but you don’t get an easy way to filter out inactive identities so they end up in scope too.
That being said, I would suggest you to explore the IdentityNow Bulk Certification Tool . From what I recall, it allows you to define both identity and entitlement queries, and then generate campaigns via ISC using this utility.
I’m not entirely sure if both queries will work seamlessly together, since this setup relies on ISC REST APIs and could run into limitations but you can definitely give this a try.
@SayanthBR You can do like this: in Search, select identites by attributes.cloudLifecycleState:”active”. Out of response, checkmark the “ID“ column, uncheck the rest. You will only have ID’s column now. Generate and download that report (and open it in Excel).
-Go to Search again, start new campaign. Choose Identity based. Click on “speficic identities that I select“.
In the search bar now, copy and paste the entire column of ID’s from the generated report. It will be like automatically like id1 id2 id3 id4 (just a space between).
Now, you should have only active users. Select them all, and go to certify the access.
Next, you will be prompted to certify all items, or items you decide. If you go for the later option, you can pick what accesses you want to certify.
Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.