Mass delete protection of entitlements

We have just encountered a big incident with IDN at one of our customer and the entitlement aggregation.
With the “Oracle Internet Directory” source, a LDAP filter on the account has impacted the entitlement aggregation.
The aggregation returned 0 entitlements, and all the Access Profiles referring to those entitlements have been emptied and disabled.
Luckily, the Role Change Propagation doesn’t exist yet in IDN, so the users were not impacted…

However, we must now restore all the Access Profiles.

How to prevent this, like for the account aggregation we can set a threshold, Is it possible to set a threshold for the deletion of entitlements? Are there people with that experience?

Hi @ritu_pandey ,
You can take backup of all sources and other IDN objects using Configuration Hub.

I haven’t done it personally, but I believe it should backup source entitlements as well. There are other IDN objects like Access Profiles and Roles which you also might want to backup.

All the best!

Thank you @gauravsajwan1
I don’t know if backup would be of any use here.
Configuration hub doesn’t allow identity, entitlement backup (source backup only backups the source object) and since entitlements are attached to access profiles via id and not their value/name, once they are deleted in one faulty aggregation and later reaggregated(after updating the aggregation filter) their IDs would change, so restoring access profiles would not be of any use.

Source

It’s unlikely that you can set a threshold for entitlement aggregation. Perhaps Native Change Detection could be a helpful solution for your needs.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.