I am unable to add entitlements to IT role

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

I am concern about IdentityIQ 8.4

image
image831×423 11.3 KB

These are my entitlements from entitlement catelog but I am unable to add them to IT role
image
image1831×169 16.8 KB

Is there any other configuration needed to add the entitlements

2

Hi @AshuGole,

Welcome to SailPoint Developer Community for your use case. After looking into screenshots, I can see entitlements does not have entitlement owner value. It is required to make the entitlement available in IT roles configuration. Kindly assign these entitlements their owner. Also verify if entitlements are defined with correct entitlement type.

3

Hi @AshuGole

Welcome to the SailPoint Developer Community.

I just validated from myside at IIQ 8.4.

you need to start typing text in the select entitlement box then it will start appear or by clicking on the dropdown link right side..

4

I tried but won’t work for me.
This is happening for all applications whether owner is available or not.

image
image1890×205 17.6 KB

5

Also not working by typing 3 letters in the select entitlement box.

image
image840×409 5.59 KB

6

Hi @AshuGole ,

Make sure in the application account schema that the attribute “group” has the “multi-valued” check activated and the “entitlement” check as well.

7

in my setup.

memberof is type String and properties: managed,entitlement,multi-valued

managed

This properties selection makes the groups will be listed under Entitlement Catalog.

entitlement

This properties make the group as an entitlement(access right) and make it available for IT role under entitlement section.

Marking an attribute as an entitlement indicates that this is an access right.

Multi-valued

“Multi-valued” refers to an **attribute that can hold more than one value.

Document reference: propertiesofattributes

image
image1511×415 28.4 KB

small note: after attribute property changes, re-aggregate the data.

8

Hi @AshuGole , Can you check if these are defined inside the schema:

For objectType-account -
image

For objectType - Group-
image

9

Hello,
As you said my schema is already correct.

For objectType-account -
image

For objectType - Group-
image

10

Hi @AshuGole

Could you please share the complete schema page configuration, which will help us understand better.

In my setup key configurations: especially memberof Type is: String and I have Groups attribute mentioned as Type group
(note: it depends on the schema how we define in the Active Directory, there are multiple ways to configure )

Object Type: account

Native Object Type: user
Identity Attribute: distinguishedName
Display Name: sAMAccountName

key attributes details:
|attribute | Type | Properties |

|Groups       | group  | multi-valued                     |
|object class | String | multi-valued                     |
|memberof     | String | managed,entitlement,multi-valued |

Object Type: group

Native Object Type: group
Identity Attribute: distinguishedName
Display Name : sAMAccountName
Description Attribute: description
Group Hierarchy Attribute: memberof
Group Membership Attribute: member

11

Hello @AshuGole Did you run the account aggregation task with the ‘Promote Managed Attributes’ option selected?

2 Likes
12

SailPoint IdentityIQ - Edit Application Active Directory - AG.pdf (297.9 KB)
In this PDF My whole schema is there you can review

1 Like
13

@AshuGole you can configure the memberof attribute as managed , entitlement,and multi-valued. After that , run the group aggregation then attempt to add the entitlement.

14

Hi @AshuGole

Thanks for sharing the complete schema configuration. sorry to keep on asking additional details.

I would like to see the Active Directory schema for a sample account and a sample group.

The best practice is to explore incrementally: configure one by one as explained below.

Step 1: Just configure the account schema and validate the data.

aggregate the account data then validate it, before moving it to step2 make sure everything good upto this paoint.

Here itself, you can validate your scenario of adding entitlements to an IT Role

Step 2: In addition to the account schema, configure the group schema without Child Hierarchy.

aggregate the account data and group data validate it, make sure everything good up to this point before exploring nested groups(child hierarchy)

Step 3: Configure Child Hierarchy."

15

Hello,
I tried this too but still same issue is causing me

16

Hello Pattabhi,
I have configure account configuration and group configuration everything works fine.
I can see entitlement in identity warehouse .

image
image1394×717 41.9 KB

And I noticed this is not just issue with AD application, My JDBC and Web service application entitlements also not visible for adding to IT roles. Even though they are requestable.

17

Might this link will help you How entitlements are added to the entitlement catalog in SailPoint IIQ | by Surbhi Ramuka | Medium

1 Like
18

Just for kicks, can you run a Full Text Index?

19

Hi @AshuGole

As mentioned by @ryan_toornburg

Please check below topic solution for Full text index.

Full Text Index Refresh

20

Hello,

I have tried by running Full Text Index Refresh Task but doesn’t work for me.