When using SailPoint's Separation of Duties service, you can implement:
You can have a maximum of 500 total policies, of either type, in your org. In each access-based SoD policy, you can have a maximum of 50 entitlements in each access list. You need at least one entitlement in each access list to prevent errors.
The documentation mentions that SoD policies have a maximum of 50 entitlements in each access lists, but it does not specify it needs to contain at least 1 entitlement in each access list to prevent errors. One might argue that this limitation makes sense (If one list is empty, there will never be a conflict, so why create the SoD policy at all?), but it could be that one person is responsible to create the policy objects while another one is responsible for filling the access lists, or you want to start working on the policy first and fill it later, or if entitlements get deleted between update sessions, or you have an automated process to build SoD policies in bulk where some policies sometimes happen to have an empty list, but should still work for simplicity.
In addition, if an entitlement is deleted (gone through entitlement aggregation or source has been deleted), the entitlement is still visible in the bucket and you can’t make any changes to it (not even patching the owner or description) until this corruption is resolved. Perhaps this limitation can be documented as well?
Kind regards,
Angelo
Hi Angelo! Thanks for the feedback! I’ve created a Jira ticket (SAASDOCS-7450) to clarify the minimum number of entitlements and evaluate how to address deleted entitlements in our SoD documentation.
We have updated the Managing Policies documentation to specify that access lists need to contain at least one entitlement. We are continuing to gather info on how customers need to interact with deleted entitlements. Thanks!
A post was split to a new topic: Pulling a list of >2000 violations of an SOD policy