Grant_access when the entitlement is single valued in a JDBC source

vikramsah · February 28, 2024, 3:08am

How does grant_access in submit access request api work when the entitlement is single valued in a JDBC source. Is updating the current entitlement using queries enough to let the IDN know that we need to

step1: revoke the current entitlement
step2: Add the new entitlement

or would it try to keep both the entitlements alive?

RAKGDS · February 28, 2024, 6:09am

Hi Vikram,
If it is single value can you try to only add the entitlement, i think it should replace the existing entitlement. In the target as well you can have a update query and then do a single aggregation and see if that works fine

anagha · February 28, 2024, 7:57am

Hi Vikram,

The grant_access operation is included in the access request API call, specifying the resource (JDBC source) and the entitlement (single-valued).When the access request is processed, IdentityNow checks the user’s existing entitlements in the JDBC source. If the user does not already have the entitlement, it adds the entitlement value to the user’s account.

Updating the current entitlement using queries in SailPoint IdentityNow (IDN) may not be sufficient to ensure that the entitlement is revoked. In IDN, revocation of entitlements is typically managed through the certification and access review processes. Once an entitlement is updated or removed in the source system or application, IDN will reflect this change in the certification and access review tasks. It is important to complete these tasks to ensure that the entitlement is properly revoked and access is removed for the user.

Deleting entitlement from the source itself and running an entitlement aggregation will remove the entitlement from IDN

vikramsah · February 28, 2024, 3:35pm

Hi Anagha,
So are you saying that the modify operation will not automatically revoke the old entitlement and add a new one, and instead an explicit revoke request will be required to remove the old entitlement??

anagha · February 28, 2024, 4:44pm

Modify operation should work. Try to check membership criteria of all the roles, because if an entitlement is granted through membership criteria, it might set the value to the old entitlement even if you have a modify provisioning rule set up.

vikramsah · February 28, 2024, 6:16pm

Well, there is no role membership as of now. I have written an update query within the modify operation of the connector rule. I want the update to be removing the current entitlement and adding the updated entitlement against that identity. But it appears that the old entitlement is never replaced and the rule tries to add the new entitlement on top of the old one, which is leading to IDN trying to set it back to the old entitlement and essentially nullifying the modify.

iamnithesh · February 28, 2024, 6:22pm

If it’s a JDBC source you can control what is happening using the query written in JDBC Provisioning rule. Any updates made will reflect in IDN after the next aggregation.

system · April 28, 2024, 6:22pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Modifying a Single valued entitlement ISC Discussion and Questions identity-security-cloud , provisioning , jdbc-connector	9	232	April 30, 2024
Single Valued Entitlement Issue for JDBC connector ISC Discussion and Questions entitlements	6	380	July 19, 2023
Identity Refresh sets the entitlement to old value ISC Discussion and Questions identity-security-cloud , provisioning , jdbc-connector	8	162	April 28, 2024
Multiple Entitlement Types for JDBC Source ISC Discussion and Questions	2	1491	July 19, 2023
Request an entitlement to replace existing ISC Discussion and Questions webservice-connector , identity-security-cloud , provisioning , access-requests	4	219	March 17, 2024

Grant_access when the entitlement is single valued in a JDBC source

Related Topics