Inclusion of Entitlements/APs assigned via Role in Campaigns

I was recently trying out the following scenario

Role has the following Access Profiles
Access Profile A
Access Profile B
Access Profile C

I assigned a user this role via access request (the role has no membership criteria). I then created an access item certification campaign for Access Profile B. The user is not included in this campaign, assuming because the access profile is assigned by the role?

Is this by design? If so, this is kind of disappointing because we have access that must be reviewed periodically, but we also want to be able to include that access as part of a role so that users can request a single bundle of access.

Any others with this experience?

Hi @mcheek ,
Greetings of the Day!

I strongly agree with you because it will causes many vulnerability to the organization please submit your idea on ideas portal

Thank You

We faced similar situation where we had a requirement to have a fine gain control over the entitlements included in the access profiles along with the said access profiles.

If the Certifier removes the individual access item, then do user really have that Access? SailPoint will need to remove the grouping of access and assign them remaining access items.

Did you get anywhere with the how to create your certification? I have the same issue.

We have to include any roles that include the entitlement in that certification

1 Like

I am interested to see if @SarahKhan wanted to weigh in on this and tell us whether or not this is supposed to be happening.

1 Like

@mcheek Agreed it’s causing an major issue when users get an access from access request. Will wait see if any replies for this issue.

Thanks,
Shantha Kumar

1 Like

Is this in the official documentation?

It seems like a pretty important thing to point out, when people are designing their ISC solution.