Grant_access when the entitlement is single valued in a JDBC source

How does grant_access in submit access request api work when the entitlement is single valued in a JDBC source. Is updating the current entitlement using queries enough to let the IDN know that we need to

step1: revoke the current entitlement
step2: Add the new entitlement

or would it try to keep both the entitlements alive?

Hi Vikram,
If it is single value can you try to only add the entitlement, i think it should replace the existing entitlement. In the target as well you can have a update query and then do a single aggregation and see if that works fine

Hi Vikram,

  1. The grant_access operation is included in the access request API call, specifying the resource (JDBC source) and the entitlement (single-valued).When the access request is processed, IdentityNow checks the user’s existing entitlements in the JDBC source. If the user does not already have the entitlement, it adds the entitlement value to the user’s account.
  1. Updating the current entitlement using queries in SailPoint IdentityNow (IDN) may not be sufficient to ensure that the entitlement is revoked. In IDN, revocation of entitlements is typically managed through the certification and access review processes. Once an entitlement is updated or removed in the source system or application, IDN will reflect this change in the certification and access review tasks. It is important to complete these tasks to ensure that the entitlement is properly revoked and access is removed for the user.

Deleting entitlement from the source itself and running an entitlement aggregation will remove the entitlement from IDN

2 Likes

Hi Anagha,
So are you saying that the modify operation will not automatically revoke the old entitlement and add a new one, and instead an explicit revoke request will be required to remove the old entitlement??

Modify operation should work. Try to check membership criteria of all the roles, because if an entitlement is granted through membership criteria, it might set the value to the old entitlement even if you have a modify provisioning rule set up.

Well, there is no role membership as of now. I have written an update query within the modify operation of the connector rule. I want the update to be removing the current entitlement and adding the updated entitlement against that identity. But it appears that the old entitlement is never replaced and the rule tries to add the new entitlement on top of the old one, which is leading to IDN trying to set it back to the old entitlement and essentially nullifying the modify.

If it’s a JDBC source you can control what is happening using the query written in JDBC Provisioning rule. Any updates made will reflect in IDN after the next aggregation.