Lets say a multi-forest Active Directory connector has 2 forests for accounts and 1 forest for groups. When requesting entitlements(Not Access Profiles or Roles) from “Request Center” to the subjected source how can I tell ISC/SailPoint to provision to the main account, which could be in either of the 2 forests with accounts depending on an identity attribute?
Hey Amar!
I don’t believe there is an easy way to do this currently. Entitlement requests have gotten a lot of changes recently, but unfortunately the do not currently have the multiple account options like Access Profiles.
IDN in general isn’t great at handling identities that have multiple accounts in one source.
The two options I can think of to help with this would be to either switch to using Access Profiles for access requests, or create a second AD source to filter on each account.
Switching to Access Profiles for these types of requests will let you use the Multiple Account Options to help determine which account to provision the access to.
Creating a second source would essentially split the accounts that the users have into 2 seperate sources. For example, if users have a domainA and a domainB account, one connector will just look for the domainA accounts and the other would look for the domainB accounts so users only have one account on each source. This would duplicate the entitlements in the entitlement catalog, but it would allow you to just make the domainA groups provisioned to the domainA accounts. It is fairly common to have multiple sources to support users having multiple accounts, we have 3 ourselves, in order to only have one account from a source linked to an identity, but it can get a bit messy.
Here are some other topics regarding having multiple AD sources that may be helpful.
Please let me know if this helps!
- Zach
1 Like
Hi Zach,
Appreciate your detailed insight. What you described is the exact issue, duplicating of entitlements when using two different sources. Since account selector in access profiles only work in case of automated provisioning, not “Request Center” I had to drop that.
The attempt to use segments to split the users visibility in Request Center hit a limitation as segments in ISC only filter access items for requester, but not for recipients like the Quicklink populations in IIQ. Perhaps going with the limitation of segment is my best bet. Thank you
The solution finalized was to have two different sources with entitlements duplicated as @zachm117 mentioned about. Event Triggers can be used to auto deny/approve an approval request in case the account was selected incorrectly due to the duplication in entitlements. Segments was used to limit the visibility of entitlements but segments only apply to requesters, not recipients: Access Segmentation for Beneficiary | SailPoint Ideas Portal
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.