Inclusion of Entitlements/APs assigned via Role in Campaigns

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

I was recently trying out the following scenario

Role has the following Access Profiles
Access Profile A
Access Profile B
Access Profile C

I assigned a user this role via access request (the role has no membership criteria). I then created an access item certification campaign for Access Profile B. The user is not included in this campaign, assuming because the access profile is assigned by the role?

Is this by design? If so, this is kind of disappointing because we have access that must be reviewed periodically, but we also want to be able to include that access as part of a role so that users can request a single bundle of access.

Any others with this experience?

2

Hi @mcheek ,
Greetings of the Day!

I strongly agree with you because it will causes many vulnerability to the organization please submit your idea on ideas portal

Thank You

3

We faced similar situation where we had a requirement to have a fine gain control over the entitlements included in the access profiles along with the said access profiles.

If the Certifier removes the individual access item, then do user really have that Access? SailPoint will need to remove the grouping of access and assign them remaining access items.

4

Did you get anywhere with the how to create your certification? I have the same issue.

5

We have to include any roles that include the entitlement in that certification