Hi everyone,
I’m working on a use case in SailPoint Identity Security Cloud (ISC) involving role-based provisioning where each role contains Active Directory groups as entitlements for different applications.
In our environment, most AD groups grant full application access. However, for about 10 applications, in addition to automatic AD group provisioning, additional manual fulfillment steps are required within the target application.
Here’s the goal:
When a role containing any AD groups related to any of the 10 applications is provisioned, I’d like ISC to automatically create a ServiceNow ticket for those manual fulfillment tasks.
I’m evaluating two possible approaches and would appreciate the community’s guidance on the best solution design:
-
Using the SailPoint Service Desk integration for ISC:
-
Can the Service Desk module detect for a specific entitlement within a birth-right role and automatically generate a ticket in ServiceNow when that entitlement is provisioned?
-
If yes, how should the configuration be structured? (For example, should each of the entitlements be mapped separately to a Service Desk ticket assignment group?)
-
-
Using a workflow triggered after provisioning:
- After role provisioning completes, the workflow would check the provisioning plan, identify whether any of the entitlements related to any of the 10 applications are present, and then call the ServiceNow API to create the ticket.
I’d like to know if anyone has implemented something similar and can share best practices (for example, using a custom “After Provisioning” trigger, REST call to ServiceNow, etc.).
Ultimately, I’d like ISC to handle both automation and ticket tracking efficiently without manual intervention.
Any architectural suggestions, sample configurations, or examples from similar implementations would be greatly appreciated!
