Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.
Please consider addressing the following when creating your topic:
What have you tried? –> Tried creating Access Profiles with suffixing location code which is causing issue for us when it comes to certification campaign since all other Access Profiles are getting detected with identity refresh and causing unnecessary certification items to all location approvers.
What errors did you face (share screenshots)? Multiple cert items since entitlements are same in all access profiles.
Share the details of your efforts (code / search query, workflow json etc.)? Its Access Profile setup
What is the result you are getting and what were you expecting? We want to have the certification to pull only the requested Access Profile by the user. Or A way to design such Access Profiles where location would be different but Access will be same and different approvers for each location.
I think if an identity has all of the entitlements for an AP it will automatically be assigned that AP. You could create a dummy entitlement that is also location based to differentiate them.
Sorry, to be more accurate, you can create a dummy entitlement for each access profile, so for example Access Profile Location A contains the normal entitlements plus a dummy entitlement called Location A, and Access Profile Location B contains a dummy entitlement called Location B, and so on. Then you assign the entitlements to the appropriate users, and they should only have the appropriate access profile assigned to their identity.
@Vincent Kashat Thank you so much for the response. However, could you please give an example of how to create a dummy entitlement. I am still unable to understand how this will resolve our issue?
@Chaitanyapk If this is one entitlement, how would you redirect it for approvals.
Is your plan to create multiple Access profiles for the same entitlement and then redirect approvals ?
You can create a flat file source, add accounts for each user, and create entitlements that are location specific and assign them to the appropriate users. Then add the location specific entitlements to the access profiles. Because the access profiles now don’t have all the same entitlements, each user will only have the one that is appropriate to their location.
There are 2 ways to go here, either the Role way or the Dummy Entitlement way.
@vkashat offered the Dummy Entitlement way, which is Access Profile based. The Dummy Entitlement in that case should be an the same source as the other entitlements, not a flat file source as they have described, for the reason I mentioned; ie that you can’t combine Entitlements from different Sources in an Access Profile.
As for the Role route, the problem with that is that the Role would have to be requestable and pre-populated with the assigned identities, otherwise you would not be able to revoke during Certification.
The best and direct approach would be to use Roles, since @Chaitanyapk also wants to do recertification. This will allow to define approvals as required. He can add this role to the existing users before enabling approvals.
Access profiles will be picked up if it matches the criteria of the assignment entitlements bundled in it.
In our case we achieved it through putting one more location specific entitlement as it was feasible for the source team to have the entitlement created in the source.
If your source cannot have additional profiles, create a role with an additional access profile in a delimited source ensuring no approval required/Manual tasks generates for the same and encode it in a role along with the required access profile.
Doh, good point, sorry. @Chaitanyapk what kind of source is the original source? Can you create entitlements on it? If it’s not possible to create dummy entitlements on the original source, the approach with roles others have mentioned would be good, provided you make sure you follow @j_place‘s advice.
Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.