I do not agree with your statement " This is for visibility into who has access, and what they have access to, so that it can be remediated via certification campaigns if necessary. If account aggregations honored the entitlement filter then this would break the visibility and governance feature of identity access because the source would be giving access to accounts that IDN can not see or govern."
For example:
Azure Active Directory:
- on premise active directory groups are replicated into Azure Active Directory. This is a very standard operation that I would expect near 100% of companies using AAD do.
- These groups are read-only in Azure AD. They cannot be changed in Azure Active Directory (because they are mastered in Active Directory)
- However, SailPoint considers these read only replicated groups as entitlements on the Azure Active Directory Source.
A certification campaign involving AAD source CANNOT remediate these entitlements, as they are not actually mastered in the source SailPoint is listing them on. They are read only on the AAD Source, and I am actively trying to use entitlement filtering to exclude them. Only a certification campaign involving the AD source can remediate these entitlements.
It sounds like IDN is simply assuming that any entitlement coming from a source is authoritatively managed there.
This is unfortunately not true, and I was trying to use entitlement filters to help correct this, but it doesn’t sound like its possible?