Link to vote for idea: Groups Created from PTAs Should Be | SailPoint Ideas Portal
I would love to hear if people have other approaches or how they’re using this today!
IDEA:
SailPoint should optimistically create an entitlement object after a PTA successfully creates a group in systems such as AD/Entra. This would be similar to when you provision a new account in a target system, and an account object is created and attached to the identity before an aggregation has been run.
For AD, SailPoint knows the distinguishedName, name, SAM Account Name, and type of the group, which should be enough information to create the object type since these are the default identity and display attributes in the schema.
PROBLEM:
Today, when you create a new group (Entra or AD) through a PTA, the system does not create an entitlement object in SailPoint for that group. Because of this, you have to complete an aggregation from the target system before the entitlement is available in SailPoint. However, these target systems can have very long aggregation times, such as an AD source with over 100,000 groups, which can take 50+ minutes to aggregate from. And entitlement aggregations in ISC do not have a delta option or a targeted option.
In the SailPoint demos and sales pitch of the PTA functionality, they show interactive forms where a user creates a new group and then immediately sets things like entitlement metadata or request and approval options. But you can’t actually do that in a realistic environment.
The lack of ability to apply governance and integrate this into other parts of the product, such as Access Requests, Roles, Certifications, and more, leaves a lot to be desired.