Guidance Needed: Enforcing "Single Entitlement Per Application per User" Using Advanced Policy in SailPoint IIQ

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Hi Team,

I need your guidance on how to enforce the policy of “Single Entitlement Per Application per User” using Advanced Policy in SailPoint IIQ.

I have attached my attempted policy configuration, but it is currently fetching only one entitlement for the expected identity. I am looking for a solution that ensures each user can have only one entitlement per application.

Could you please advise on how to resolve this issue or provide suggestions for the correct approach?

Thank you for your support.

Best regards,
Venu1010

Rule_Generic_OneEntitlementPerUserPer Application_SOD_Policy.xml (6.6 KB)

2

Hi @Venu1010 - I would alter your rule to do the following:

  1. Get the user’s entitlements for each application in the post-request state
  2. Add these to a map - key being app and value being either:
    1. list of entitlements for the app, or
    2. count of entitlements for the app
  3. Iterate over your list of “single entitlement” applications, checking your reference map from the above step for the entitlements.
  4. If there is more than one entitlement for said app (or count > 1 if you used counts), set your violation condition to true
  5. Display violation as you are currently doing when violation is found

This way is much more efficient from a loading data into memory perspective and will achieve your desired use case.

Let me know if you need help implementing this within the rule itself, or if you need to tailor it to specific entitlement sets per application.

Hope this helps!

3

The system is only capturing one entitlement, even though I submitted a request for two. Please correct this issue.

4

@Venu1010 Ideally identity object from input argument will have all the submitted entitlements. Can you check whether you are modifying the plan in LCM workflow before it passed to Identity Request Violation Review subprocess. Incase if you have the logic to remove some entitlement from the plan, identity object will not have the removed entitlement.

5

FYI -I have created Entitlement SOD Policy which is also not getting triggered any idea? Please find the below screenshot for your reference.

1792×883 42.2 KB

6

@Venu1010 Please check the variable policiesToCheck in the LCM workflow which controls the scope of the evaluation:

  • If defined: Only the policies you list will be checked.
  • If empty: All active policies will be checked.
7

@Venu1010 Please check if in your LCM workflow, “policyScheme” variable is set or not. if not, it disables policy checking.

8

policyScheme is already set to “Interactive” in workflow.

image
image689×374 47.1 KB

9

@Venu1010 Can you please print logs in your policy rule to see if request is even coming to the policy or not?

10

It is printing. I already shared via chat with u. pls have a look at it. It is captured only one role though I submitted for two roles.