Is there a way to filter out unwanted entitlements from a certification Campaign

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

I have a business requirement where i want to run an access review campaign on a identity. The campaign is working correctly but i did notice that some of the items i am certifying on the identity are backend entitlements (e.g printer) that we don’t want included in the campaign.
i understand i can manually remove the items i don’t want included in the campaign manually by selecting them when configuring the campaign but imagine doing this for 500 identities, that’s alot of manual task.

Is there a way i can filter out these entitlements that does not involve a manual process before i start the campaign?

OR’

Is there a search filter/query i can use to filter out the unwanted entitlements?

WHAT I HAVE DONE

I have tried removing the unwanted entitlements manually when configuring the campaign but imagine doing this for 200 users, thats a pain and alot of manual task.

I have also tried writing a search filter to exclude the unwanted entitlements but it doesn’t seems to be working (it shows the identity and all the entitlements but not sure how to exclude the one’s i don’t want).

Any help here will be highly appreciated.

2

@skillz007 When I was new to ISC, I had a requirement to certify around 2,000+ identities. The challenge was that the campaign needed to exclude certain groups, but the standard options like filters and tags did not work as expected.

Approach I Took:

  1. Triggered the campaign in preview mode.

  2. Developed a PowerShell module that fetched campaign items via API and iterated through them.

    • For items containing unwanted entitlements, I reassigned them to a designated service identity.

  3. The module then launched the campaign and automatically approved the excluded entitlements with a standard comment.

Outcome:

  • Reviewers only saw relevant items in the campaign.

  • Maintained auditability by documenting the automated approval process.

3

Thanks for this @abhinav. I will give that a go as a second option if the OOTB campaign filters does not work as intended.

1 Like
4

Hello;

We resolved the similar requirements by using metadata on concerned entitlements and then exclude them.

We created an metadata called technical and define value yes. Then for all concerned entitlements we add this metadata with yes value and in you campaign access search query filter like

(NOT @accessModelMetadata(key:\"technical\" && value:\"yes\"))

Will exlude those entitlements.

5

@skillz007 have tried to tag them and trigger a search based access campaign .it works and filters out only those entitlements which are necessary

6

Tags would work if you are directly querying access items. In this case, @skillz007 need to filter entitlements after querying identities.

7

Another consideration:

  1. Extract unwanted entitlements (manually, through search query, etc)
  2. Create an exclusion campaign filter: create-campaign-filter | SailPoint Developer Community
    1. If there are a high number of entitlements, consider dumping them in an excel and create a ruby script / powershell script to call the API and programmatically create / update the campaign filter
  3. Apply the campaign filter on the identity campaign