Native Change Detection for Created Entitlments

nuffersp · October 14, 2025, 7:49pm

We want to identify who is creating Active Directory entitlements outside of SailPoint ISC. Our objective is to drive all AD group creation through ISC forms and workflows to ensure consistency and compliance.

Current Setup:
Within the AD source, I’ve configured All non-entitlement attributes to use objectGUID. After creating a new group and running an aggregation, no event was triggered.

Question:
What is the best approach to reliably capture newly created AD entitlements that are created outside of ISC?

Steve

JackSparrow · October 19, 2025, 3:47pm

Hi @nuffersp Native change detection works only for account operations but not for group operations. Is it possible to add a tag/description that is unique to SailPoint when AD groups are created from SailPoint? so that report can be run

system · December 18, 2025, 3:48pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Entitlement CRUD operations ISC Discussion and Questions identity-security-cloud , entitlements	2	134	July 27, 2024
Native Change Detection in Active Directory Source ISC Discussion and Questions identity-security-cloud	11	1118	April 9, 2024
AD entitlement Audit ISC Discussion and Questions aggregation , identity-security-cloud	6	92	January 1, 2026
AD group continuously being added ISC Discussion and Questions identity-security-cloud , entitlements	11	239	March 31, 2025
Identify users in SailPoint IIQ whose Active Directory group memberships were assigned externally, bypassing the IIQ provisioning process IIQ Discussion and Questions identityiq , provisioning	9	163	March 22, 2025

Native Change Detection for Created Entitlments

Related topics