I have a scenario where I need to manage more than one account for the same system.
It is a privileged account management scenario. We currently do not manage privileged accounts by nominal identities, but rather by systemic identities, that is, it is an identity used by more than one person.
Because of this, this identity must be linked to many accounts from the same source.
I know that Sailpoint does not support this model for account creation scenarios. Can you tell me if it would be a supported scenario for removing/adding access and certification?
For adding new accesses, it works.
However, I tested removing access for an identity that has two accounts from the same source, and requested the removal of an entitlement that is common between the two accounts. The entitlement was only removed from one account.
I understand that this feature only works for access requests, and not for removing accesses.
I also wonder how the visualization would look in an access certification in scenarios where there is common access for many accounts. I believe that ISC is not yet able to manage multiple accounts from the same system.
We’re still experiencing issues with entitlement revocation in the multi-account scenario. SailPoint has confirmed that the necessary functionality isn’t expected to be released until May. In the meantime, we’ve run into several challenges removing entitlements from accounts that exist in multiple sources. The “Revoke” option under Entitlements in the UI hasn’t worked consistently. Sometimes a certification removes the access successfully, sometimes it doesn’t. In some cases, revoking access directly from the target and aggregating works, but other times it fails as well. Needless to say, we’re eagerly awaiting the May update.
“Feature” is a piecemeal…there’s been other instances of features don’t cover the full range of use case / lifecycle of those objects. This isn’t specifically a SailPoint-specific thing unfortunately. It’s “agile”, for better or for worse.
Something to consider in the grand scheme of things, again, not necessarily SailPoint / ISC-specific. It’s an individual’s view / perspective, interesting discussion (take it with some salt in mind):
