In ISC, I see that the roles are now allowing us to assign the IdentityNow user levels as entitlements - such as ORG_ADMIN, SOURCE_ADMIN, ROLE_ADMIN, REPORT_ADMIN, HELPDESK, CERT_ADMIN etc.
I’m assuming we can now create requestable roles on ISC with these entitlements so that the identity user levels can be assigned to end users upon request, which eliminates the need of a loopback connector. Atleast, this is what I deduce of it.
However, when assigned the ISC role with “HELPDESK” selected as underlying entitlement to an identity, the role and entitlements are assigned, but the “USER LEVELS” field on the identity details still remains blank.
Isn’t the “USER LEVELS” supposed to be auto updated based on a user having above ISC user levels as entitlements?
Attaching screenshots for the same:
ISC User Levels available as Role Entitlements - where the ISC user levels are available to be configured within roles
Role Assigned to Identity - Assigned role to identity both using membership/upon manual request
Entitlement assigned to Identity - Entitlement also is assigned onto the identity and source automatically appears as IdentityNow as these entitlements are for IdentityNow user levels OOTB
User level blank - In spite of the identity having the corresponding entitlement, the “USER LEVELS” field is still blank (also performed single identity refresh upon the identity & process identity)
What I have noticed is that the Admin level access assigned to an identity gets overwritten by the entitlements assigned via Roles. ie if an identity with ORG_ADMIN access is assigned “Helpdesk” entitlement via a Role, then the identity loses the ORG_ADMIN accesses
@iamology, in my case, I’m seeing that the user levels are not being assigned at all in the first place. What I have done in the screenshots above is that, assigned Helpdesk role to an end user who does not have any ISC user levels at all.
Even then, once the role that I created got assigned to the identity, I do not see “User Levels” on the identity details getting updated (or) on the identity, when I click on “Actions” > “Set User Levels”, I do not see any user level assigned to the identity
@oliver_goebel2, unfortunately, IDN loopback connector is not an option here for us, instead we’re looking for OOTB option that SailPoint is providing for the user levels to be assigned via roles directly.
@iamology yes thats right. Once the role with identitynow user level containing corresponding entitlement is assigned to an identity, i can see it on the default identitynow soure under accounts.
But the issue i’m seeing here is more towards the identitynow user level entitlements assigned via roles but not being reflected on the identity details tab of the identity under “USER LEVELS”. Apparently, unless this field is auto updated, the identity technically does not have a user level tagged to them.
I think this issue arose from the need to assign roles in NERM. You can check this article, maybe the connector will solve your problem. I am in the implementation stage to see if it works.
Thanks @GilbertoOledo14
I’ve tried and tested the NERM Users integration with ISC separately using Web Services connector and it is achievable that way.
But this post is created to understand the issue with the ISC User Levels which can be assigned as entitlements directly onto ISC roles which doesn’t seems to work currently.
