I have 2 types of entitlements for my Web Service source, ‘groups’ and ‘roles’
I have set addRemoveEntInSingleReq to false so that they are added one at a time (limitation in source we provision to)
I now found another limitation, where I need to add ‘groups’ first, before I add ‘roles’
If my Access Profile has 2 groups plus 2 roles, can I get ISC to always add the 2 group entitlements first, before it adds the roles entitlements? Is there a way to do this?
At present, I do not believe this will work, however, you can consider adding an automated role assignment that is added when both of the entitlements in your access profile are present. This role will be added AFTER the access profile assignment on the next identity processing.
@jrossicare I’ve had this problem myself in the past, and unfortunately, there’s no way around this.
Currently there is no way to enforce a specific order such as provisioning ‘groups’ before ‘roles’ (as in your case) within SailPoint ISC. Even though you’ve set addRemoveEntInSingleReq to false to ensure entitlements are added individually, the tool doesn’t provide us the control over the sequence in which those individual entitlement operations are provisioned.
When an “Add Entitlement” operation is triggered either via Access Request or Criteria based roles, SailPoint ISC generates an account request containing multiple attribute requests for both groups and roles in your case. These attribute requests are processed in an asynchronous order, meaning they can vary from one provisioning event to another.
So yes, the order is ideally random, and there’s no built-in mechanism to prioritize one type of entitlement over another during provisioning.