Fundamentals of DynamicScopes

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

Version 8.3

Share all details about your problem, including any error messages you may have received.

Hello,

In order to define which entitlements users are allowed to request, in DynamicScopes, we defined RequestControl and RemoveControl rules. I have some questions regarding the functioning of scopes that I didn’t find the answers to in the documentation.

Is there a way to check which DynamicScope is applied to a user? Or is this done by just analyzing all the Selectors of the Scopes?

Some DynamicScopes don’t have Selectors. Are these scopes applied to all users?

When a user matches with more than one DynamicScope, which permissions are granted to the user? Does the user receive all the permissions from all the DynamicScopes? Does the user only receive the most restrictive permissions?

If there is a Post or Guide that addresses these questions, please feel free to share it :slight_smile:

Thanks in advance

2

Hi and Hello,

Look here:

https://community.sailpoint.com/t5/Technical-White-Papers/QuickLinks/ta-p/74261

  1. You can check on identity on debug.
  2. You need to give example.
  3. user receive all the permissions

Regards,
Adam

3

For instance, we have these two DynamicScopes:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE DynamicScope PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<DynamicScope allowAll="true" name="Everyone">
   <ApplicationRequestControl>
      <Reference class="sailpoint.object.Rule" name="Rule-RequestObjectSelector-RemoveApplications"/>
   </ApplicationRequestControl>
   <ManagedAttributeRequestControl>
      <Reference class="sailpoint.object.Rule" name="Rule-RequestObjectSelector-RemoveOwnedEntitlements"/>
   </ManagedAttributeRequestControl>
   <PopulationRequestAuthority allowAll="true"/>
   <RoleRemoveControl>
      <Reference class="sailpoint.object.Rule" name="Rule-FrameWorkRegularRoles"/>
   </RoleRemoveControl>
   <RoleRequestControl>
      <Reference class="sailpoint.object.Rule" name="Rule-FrameWorkRegularRoles"/>
   </RoleRequestControl>
</DynamicScope>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE DynamicScope PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<DynamicScope allowAll="true" name="Self Service Privileged Access">
   <ApplicationRequestControl>
      <Reference class="sailpoint.object.Rule" name="Rule-RequestObjectSelector-RemoveApplications"/>
   </ApplicationRequestControl>
   <ManagedAttributeRequestControl>
      <Reference class="sailpoint.object.Rule" name="Rule-RequestObjectSelector-RemoveOwnedEntitlements"/>
   </ManagedAttributeRequestControl>
   <PopulationRequestAuthority>
      <MatchConfig customControl="(correlated == true)" enableCustomControl="true" matchAll="true"/>
   </PopulationRequestAuthority>
   <RoleRequestControl>
      <Reference class="sailpoint.object.Rule" name="Rule-FrameWorkPrivilegedRoles"/>
   </RoleRequestControl>
</DynamicScope>

Are these two Scopes applied to all the correlated accounts?

4

Hi and Hello,

I think yes.

"<DynamicScope allowAll=“true” "

Regards,
Adam

5

That makes sense, thank you.

Also, regarding looking for the identity on the debug. What should I be looking for?

I tried looking for something related to scope, or even the name of a new scope I created, but I can’t seem to find reference to it. Is there an attribute that holds this information?

6

Hi @brunoocarvalho,

Dynamic scope as the name suggests it is not directly mapped on identity but rather this is attribute based matching that it does during accessing quicklink.

Like for example if you will consider “Manager” scope then it looks for all identity where managerStatus=“true” and this attribute you will be able to find in identity.

Let us know if further insight is needed.

Thanks