Manager Certification not showing entitlements from detected roles

IdentityIQ (IIQ) IIQ Discussion and Questions
, , ,
1

Which IIQ version are you inquiring about?

8.X

While creating manager/targeted certification for users’ roles/entitlements, certified are only detected roles and not entitlements that are a part of them.

And it looks like it’s OOTB behaviour but here’s the thing, one of our clients has them both, so it looks like there is a way to personalize it, so both detected role and its entitlements are shown.

I’ve checked theirs System Configs and Cert Definitions but there’s no rule or any bigger difference between them.

2

Try to refresh the identity by selecting the two options: ‘Refresh assigned, detected roles and promote additional entitlements’ and ‘Provision assignments’. This will add or remove any missing roles for the identities. Then try the certification again.

3

>one of our clients has them both
This was a lie, sorry. The test case had 2 accounts in one app that both had this entitlement that was a part of role. After creating new role with one entitlement, doing refresh to detect it and creating cert, the entitlement is not showing anymore.

So the question is, is there any way to enable certification of entitlements that are a part of detected role?

4

Hi @dominikmisior I’m not aware that you can enable certification of entitlements that are part of a role:

Entitlements are either permissions or specific values for an account attribute, such as group membership. In the context of certifications, entitlements refer to all the entitlements an identity has access to that are not included as part of a role that is assigned to the identity.

From Contents of a Certification: Policies, Roles, and Entitlements

1 Like
5

Yes, When IIQ runs Identity Refresh with role detection, it compares the identity’s entitlements with the role’s entitlement profile. If the user has those entitlements, the role is automatically detected.

Once detected:

  • The entitlements are grouped under the role
  • They may not appear individually in the certification
  • The reviewer certifies the role, not the underlying entitlements

Also, in certifications:

  • Assigned roles and detected roles appear in the Roles section
  • Entitlements appear only if they are NOT part of a role

So if an entitlement is inside a detected role → it is hidden behind the role.

6

Hi @dominikmisior

Technically it is not feasible to include entitlements detected from IT roles in Manager certification.
Alternatively, you can achieve this by configuring a Role Composition certification for all or selected IT roles. This typically routes the certification to Role owner or Certification owner, but you can delegate it to Manager using pre-delegation rule in it.

Thanks,
Harsh

7

Hi @tharshith That is for certifying that the content of the Role is correct, not for Identities to which the Role has been assigned.

8

Apologies, my bad. It is Role Membership, not Role Compositon.

Also, Role Membership certification has direct configuration to assign the access review to Manager, so Pre-delegation rule is also not needed here.

Thanks for correcting me @j_place

1 Like
9

@dominikmisior Could you please confirm if you are only assigning the entitlements, not the business roles, right and how are you assigning the entitlements?

And if any IT role has these entitlements, they should come as detected. Now , you want to certify these entitlements, not the IT Role, correct?

10

Yes, entitlements are assigned in normal access request process, later the role that has those entitlements is detected(and only detected, it isn’t assigned by the normal assignment or rule).

Those entitlements are only in this one detected role, no other assigned/detected role has them, what we want is to certify those entitlements separately and not as a whole role but the option of “both detected role and its entitlements are shown for cert” is also acceptable.

I believe that what Jeremy said is the answer, that it’s just not possible to do it this way, but of course, if you have any suggestions, please kindly share :slight_smile:

11

Yes, certifying both roles and entitlements together in manager certification is technically not feasible.
Instead you can do that with Role Membership Certification but you cannot take decisions on individual entitlements detected by the role for an user

1 Like
12

@dominikmisior You can try selecting this option: “No automatic detection with profiles unless assigned” in Global Settings → Role Configuration → IT.

This will actually stop detecting the entitlements which are not assigned via Roles. Means the entitlements which are assigned via access reuqest, they will remian as entitlements and you can pull them in Certification as Additional Entitlements.

13

Hi @dominikmisior

In SailPoint IdentityIQ, this is the expected OOTB behavior. When a manager or targeted certification is generated, entitlements that are part of a role are not shown separately. IdentityIQ only displays the detected or assigned role, because the entitlements are already bundled within that role.

During certifications, entitlements listed are typically those directly assigned to the identity and not inherited through roles. Therefore, entitlements that come from a detected role will not appear as separate certification items.

If you need those entitlements to appear individually in the certification, they must be assigned directly to the identity or account rather than through a role, or you would need customization in the certification configuration/reporting to expose role-based entitlements.

1 Like
14

Let me shed some light on that topic by providing some technical insights.

Basically, an entitlement can be assigned to an identity in three different ways (assuming the OOTB role model is used):

  • Direct assignment
  • Assignment through a detected IT role
  • Assignment through a business role

Now, recertifying entitlements that are assigned through a business role doesn’t make sense at all since the identity refresh task would re-provision the entitlements as the underyling IT role profile is not fully fulfilled). In theory, it would be possible to recertify single entitlements that are assigned through a detected IT role. The outcome of revocation would be that the entitlement is removed from the identity and the IT role would not be detected anymore (if that makes sense is answered later).

Now, for certain processes, IdentityIQ has to be aware whether or not an entitlement is directly assigned to an identity or indirectly through an IT role / busines role. Two examples are:

  • Recertification: As roles represent a bundle of entitlements, OOTB behavior is to only include directly assigned entitlemens in a recertification. Indirectly assigned entitlements are recertified through the role
  • Removal of accesses in the access request process. As you can’t remove entitlements indirectly assigned through a business role, only those entilements not originating from a role shall be selectable for removal.

Now, how does IdentityIQ figure out that an entitlement is directly assigned or assigned through a role? There are two ways to do that

  1. The corresponding identity entitlement has a flag grantedByRole, which is true if the entitlement is assigned through a role. In that case, there are two keys in the attributes map, which indicate the IT role / business role granting the entitlement (sourceAssignableRoles, sourceDetectedRoles)
  2. On the identity object, directly assigned entitlements are stored in the “Exceptions” as EntitlementGroup objects. On the other hand, entitlements assigned through a role do not appear in the Exceptions.

When it comes to recertifications, IdentityIQ includes only those entitlements, which are listed in the exceptions, in the recertification. The same applies for access request - only exception entitlements are shown for removal.

This is basically the reason why the type of an entitlement based CertificationItem is Exception. Exceptions are written during identity refresh.

Is it possible to recertify entitlements that are part of an IT role?

Out of the box, it is not possible since, as mentioned above, IdentityIQ only considers Exception entitlements to be included as certification items. However, in theory it should be possible (I’ve never tried it as it doesn’t really make sense to do that from business point of view) to use the CertificationEntityCustomization rule to

  • iterate over the CertificationItem objects
  • check if the CertificationItem is an IT role
  • extract the single entitlements from that IT role
  • manually create CertificationItem objects for each entitlement
  • add the generated CertificationItem objects to the certification entity

Does that make sense? Recertifying the IT role as well as the single entitlements does not really make sense from business point of view as one will have inconsistencies. Imagine the recertifier approves the whole IT role, but revokes 2 out of 3 single entitlements of that IT-Role. Or the other way around, all single entitlements are approved while the IT role is removed.

One could argue that you could remove the IT role as a certification item and add all singel entitlements as certification items. This way, you would effectively recertify single entitlements instead of the IT role as a whole.