Hi,
I’ve recently discovered you can run a certification campaign against IDN assignedGroups attribute (think ORG_ADMIN, CERT_ADMIN etc) since these can be found in search via source.name:IdentityNow (indices: ENTITLEMENTS).
I’ve done a test campaign and can confirm these are revoked automatically if triggered.
That got me thinking - why can we not turn these entitlements into access profiles that could then leverage other available parts of the product like approval flows & roles?
I dug around in the UI and there’s no way to include any of these entitlements in an access profile since the source “IdentityNow” is not visible/accessible via UI.
You can create an access profile like this via the beta API (haven’t tested v2) after you fetch the entitlement info via search endpoint but as I discovered, this causes https://wise-sb.identitynow.com/ui/admin#admin:access:access-profiles to display a blank page as https://wise-sb.api.identitynow.com/v2/access-profiles will now return a 500 (I assume because v2 endpoints can’t see/interact with the “IdentityNow” source and get a NULL on the source ID for the newly created access profile).
Should I post this in the ideas portal and has anyone else thought of a solution? It’s a little silly having to use an external ticketing system to manage IDN admin permissions.