Is it possible to merge multiple entitlement/access profile requests into a single SAP GRC ticket in SailPoint ISC?
This is not only related to SAP GRC. Is there any configuration which can help to merge multiple entitlement request from same source(Application) to a single provisioning plan?
I understand there can be different approval process setup for each entitlement/access profile. But in case approval is not configured is it possible to merge them?
Note : I don’t want to group ent1 & ent2. As requester can have multiple combination.
Someone can submit request for ent1, ent2, ent3
Someone might need only ent2,ent3
So grouping them is not possible.
Hi @satyadipan_dev , We have a similar case involving a previous client. We achieved a similar scenario through the implementation of roles using inheritance and permitted roles. If a user possesses one of the matching entitlements, those roles will only show the user’s profile and provision all combined entitlements.
I have tried with both. Both is generating multiple provisioning plan although it is from a same request.
This is creating a problem in SAP GRC as GRC is unable to perform SOD checks due to multiple tickets(SailPoint entitlement provisioning - creates a ticket in SAP GRC side) at the same time.
If I understand this correctly, you cannot have one access request ID if the access request are through entitlements, if it is an access profile with all entitlements clubbed from the source, access request ID would be unique.
If you want to raise one request for all the profiles and roles, you can use access request API.
I believe permitted roles is a SailPoint IIQ concept. It’s not available in SailPoint ISC. But still how this would allow users to request any combination of entitlements ?
Although this is one single access request, SailPoint is not provisioning it with a single provisioning plan. I can see in Search- >Account Activity two entries are getting created.
Hi Aayush, I tried punching two entitlements from the same source(SAP GRC) in one single request.
This created two separate provisioning plan in SailPoint → created two SAP GRC ticket to provision the access.
Yes merging it to a access profile or role would create one single plan. But there can be so many combination of these entitlements so it is not possible to merge and keep all possible combination. Moreover we want users to select individual entitlement combination instead of defining a predefined combination.
Is there somehow possible using a before provisioning rule to merge the separate request? Or it creates separate provisioning plan so it might not be possible?
I don’t think that would be a problem if you used the role-based access. You need a role matrix for access requests. We implemented a similar use case, and it is working as expected. no issue for us .
SailPoint support team informed that there a flag which can be set on tenant level for disabling split provision. After setting the flag we multiple entitlements or access profile are getting merged. This flag can’t be set using any API. We need to reach out to SailPoint support to set the flag.