I have an internal application that has two entitlements, the name of the application and the permissions / scopes within the application. For provisioning this is not an issue but for access certification i want to show the relationship between them (and even in the UI if possible to see the application permissions). I have been looking for documentation on how to do this but the documentation is limited and no examples at all. I have been looking at the hierarchyattribute in the entitlement definition but no luck so far or how to include permissions and how they represent themselves. Has anybody had any luck doing this kind of entitlement relationship? Any help is appreciated.
You might have to explain a bit more because I am not sure I am following.
When you refer to an “application” do you mean a Source?
On this part do you mean entitlement types? Or literally 2 entitlements?
the name of the application and the permissions / scopes within the application.
So basically it is a “entitlement” database that needs to be managed, that holds the name of application (internal to the company, not sailpoint related) and the permissions and scopes. So I setup two entitlement types, one for the application(s) the user has access too and then the related permissions / scopes is a separate entitlement type.
The Web Services Connector would make an API call like this:
“permissions”: [
{
“name”: “string”,
“scopes”: [
“string”
]
So as I said from a provisioning perspective not an issue but it will not show the relationship in this setup. Thanks for your help. Hope this clarifies it.
Hi @pdegraaffiam,
Basically, this is single entitlement data, which contains two attributes—name and scope. There are specific combinations of name and scope, and you want to tell the combination to IDN. Instead of creating two entitlement types, Create a single entitlement type, and in the entitlement schema, mention these two attribute name and scope. In addition to these two attributes in the entitlement shema, create one two attribute "any name " eg. name:scope in a particlar format. this contains the name of both name and scope value in a particular format. This way the combination can be maintained in the IDN.
Regards,
kanibharathi M
Sorry for the delayed response but I tried what you suggested and created an attribute that captures both values. Here is what I defined:
- in the account schema: name-scope as entitlement and multivalued
- in the response mapping for the name-scope to parse the JSON:
$..[‘name’, ‘scopes’] - The output I get in SailPoint is like this:
{“name”:“HD”,“scopes”:“1173:U”}
Any thoughts on what I am doing wrong. I use the default group entitlement and have no attributes defined on the group entitlement. Thanks for any guidance.
- In the entitlement schema, create a new attribute “name-scope” and attach a rule in entitlement aggregation to aggregate this entitlement data in this “name-scope”.
- In the response mapping of the entitlement aggregation, the “name-scope” value from the rule will be passed here.
- the output will “name value-scope value.”
Use a custom attribute called “name-scope” in your entitlement schema. Set up an aggregation rule that populates this with hierarchy values like “L1-Finance”, “L2-Finance-Reports”, and “L3-Finance-Reports-Create”.
This lets you query by hierarchy level, shows the structure in the UI, and works with access request processes.
For parent-child relationships, use the “owner” attribute. For metadata, the description field works well when parsed during certifications or access requests.
Just keep your naming consistent and make sure aggregation rules maintain these relationships over time.
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.