Enhancement: Entitlements Service

As part of our continuous efforts to improve scalability and performance for our Identity Security Cloud platform, SailPoint is in the process of rolling out an all-new backend microservice to manage Entitlements across all of IdentityNow.

The rollout of this new Entitlements Service is already underway. Tenants without long Entitlement Descriptions (greater than 2000 characters) are being enabled for this new service first and may already have the new service now!

There are a small number of tenants being delayed for this new service due to a change that may impact how they use entitlement descriptions. These will not start until the beginning of April 2023.

We want to hear from you if you have any questions or concerns about this change.

Please complete this form and we will work with you to address your concerns.

FAQ

• How does this impact the current APIs?

  • The new service does not change any existing Beta or V3 APIs regarding entitlements.

• What’s in it for me?

  • This all-new Entitlements service will enable IdentityNow to expand its support of entitlements and provide improvements that will impact all SaaS customers:
    • Improved Performance: Faster access and improved performance for all things related to Entitlements.
    • Greater Scalability: Enables support for more entitlements on a tenant and ongoing scalability for the future.
    • Extensibility: Built on SailPoint’s Public V3 API specification, providing greater support for custom integration options.
    • Support for Entitlement Owners: This new service enables our new Entitlement Owner capability, coming soon.

• Why are some tenants being delayed?

  • This new service will enforce a new 2,000 maximum character limitation on Entitlement Descriptions. The vast majority of tenants do not exceed this limit today and are unaffected by this change. A small number of tenants have one or more entitlements that exceed this limit. We are delaying the rollout of this new service to those specific tenants for a short time to provide them an opportunity to update those descriptions to fit within the new limit. Any descriptions not updated will simply be automatically truncated.

• Why impose a limit on Entitlement Descriptions?

  • Previously, limits did not exist and resulted in descriptions with excessively high character counts in some cases. We are imposing a limit to this field to ensure consistent performance for this service and to encourage customer-friendly and digestible descriptions for users. The selected limit of 2,000 characters covers the vast majority of all current entitlement descriptions across the platform and is currently exceeded by only a handful of customer tenants.

• Can this limit be increased by the tenant or source?

  • No, the maximum character limit for the Entitlement Description field is centrally defined and cannot be customized on a per-tenant or per-source basis.

• When will this new limit take effect?

  • The rollout of this new Entitlements Service is already underway. Tenants without long Entitlement Descriptions are being enabled for this new service first and may already have the new service now!
  • Tenants with Entitlement Descriptions greater than 2,000 characters as of December 31st, 2022 are being enabled LAST. These will not start until the beginning of April 2023.
    • Please note: Any tenant delaying migration to the new Entitlement Service will not get the performance, scale, and new feature benefits provided by the new service, referenced here.

• I have Entitlement Descriptions exceeding this limit. How will this impact my tenant?

  • Pre-existing Entitlement Descriptions: Any pre-existing Entitlement Descriptions which exceed the limit will be automatically truncated to the first 2,000 characters. Customers may want to review long descriptions to better fit within the maximum number of characters supported. Instructions on how to update entitlement descriptions can be found in the Performing Bulk Entitlement Updates section in Managing Entitlements.
  • Future Entitlement Descriptions: Entitlement Descriptions aggregated from the source will be automatically truncated to the first 2,000 characters. No further action is necessary. Future attempts to update Entitlement Descriptions must be under the character limit for the bulk import feature to work. An import file containing any Entitlement Descriptions over the limit will result in an error.

• Do I need to do anything?

  • No action is required for this change. If you do nothing, then any descriptions that exceed the new limitation will simply be truncated as described above. If you choose, you may update any Entitlement Descriptions that exceed the limit. Instructions on how to update entitlement descriptions can be found in the Performing Bulk Entitlement Updates section in Managing Entitlements.
  • Announcements have also been posted on the SailPoint Compass blog.
    • Improved Support for Entitlements
    • Upcoming Limitation for Entitlement Descriptions

• How do I know if my tenant is impacted?

  • There are a very small number of Customers that have entitlement descriptions exceeding this limit today. We are proactively notifying these Customers at this time. Notification will be sent via an in-app notification to Administrators within IdentityNow.

As the Entitlement Owner capability are coming soon, do you know when it will be available?
Currently we are looking for Entitlement owner certification.

Hi Narmadha, Entitlement Ownership will be available at the end of this month (March 2023) This will give you the ability to designate an individual user as the owner of an entitlement and to specify that the owner is the approver for an entitlement access request. Being able to assign owners to certification tasks is planned for a later release.

This sounds great, and how will I know when the new service is available on my tenants? I doubt my tenants have long entitlement descriptions. When the new service is available, I want to try aggregating Microsoft 365 group entitlements again, as trying to do so in the past has resulted in failures apparently related to scaling/performance problems.

Hey Thad,

We’re currently rolling out the new service to non-prod orgs.
Upon completion of roll out, we’ll update with another announcement.

Regarding your current aggregation performance errors, happy to connect with you separately. Grab time on my calendly - Calendly - Alison Cheu, Product Manager at SailPoint

If you need to find entitlements whose description is longer than 2,000 characters, you can leverage the new SailPoint PowerShell module (GitHub - sailpoint-oss/powershell-sdk: PowerShell Module for accessing SailPoint IdentityNow APIs).
After installation (Install-Module -Name PSSailpoint) you have to set variables:

$env:SAIL_BASE_URL="https://xxx.api.identitynow.com"
$env:SAIL_CLIENT_ID="xxx"
$env:SAIL_CLIENT_SECRET="xxx"

This one-liner will:

• Get all entitlements
• Filters entitlements whose description is longer than 2,000 characters
• Select relevant data (entitlement name, source name and description!)
• Export the result in a CSV`

Invoke-Paginate -Function "Get-BetaEntitlements" | ? {$_.description -and $_.description.length -gt 1999 } | select id,name,sourceSchemaObjectType,@{N='SourceName';E={$_.source.name}},description | export-csv -NoClobber -Path c:\path\to\entitlements.csv``

Note: you can install PowerShell Core on Windows, MacOS and Linux (Install PowerShell on Windows, Linux, and macOS - PowerShell | Microsoft Learn)

Hi Yannick, we’ve tried to run this and it is not working: configuration file sailpoint/config.yaml. is missing

You will need either set the environment variables first, or install the SailPoint CLI and run through the configuration command.

For the env variables, you should be able to run these in your powershell:

$env:SAIL_BASE_URL="https://xxx.api.identitynow.com"
$env:SAIL_CLIENT_ID="xxx"
$env:SAIL_CLIENT_SECRET="xxx"

Hi @kmkeener
As @colin_mckibben already answered, did you set the environment variables?

@alison_cheu

Three big questions:
ONE
We identified an issue some time ago where entitlement descriptions (specifically AD group descriptions) were not being refreshed in IdentityNow when entitlement aggregation was performed. Will this change address that?

TWO
Is there any concept for reading more entitlement properties to perform owner association? In our AD, for example, groups have a property “ManagedBy” and “msExchCoManagedByLink” which contain owner information.

Because SailPoint lacked Entitlment request features, we implemented a request fulfillment engine in ServiceNow. It can read these fields and use them in approval workflows.

THREE
Will there be a mechanism for setting “requestable” automatically when an entitlement is included (regex matches, property checks) or excluded (black list)?

Hey @rmccoy-unum, Apologies for the delay. This change on the entitlement service does not change current governance activities. Besides the description limitation, the rest of the changes are more backend-related.

Patrick Gookin is working on an overall entitlement administration/governance effort. He has just announced the opportunity to set entitlement ownership via API.

If you’d like to discuss more with Patrick, please schedule time on his calendly via Calendly - Patrick Gookin, Sr. Product Manager at SailPoint

This is the corresponding Aha Idea - https://ideas.sailpoint.com/ideas/GOV-I-1908

Regarding your questions above, see below.

1. Aggregation updates via source - This is being addressed in Q2.
2. Entitlement properties for owner association - Part of long term strategy for entitlement governance and administration. Currently, Patrick is anticipating Q3.
3. Patrick would be happy to discuss more on this inquiry to understand this mechanism in relation to the overall entitlement governance.

Do you have the timeline for the Entitlement owner certification release?

Hi @rmccoy-unum,

Were you able to find out more about below ? We have a similar req. I tried by updating AD Source Group Schema using API > added managedBy attribute but has no effect.

TWO
Is there any concept for reading more entitlement properties to perform owner association? In our AD, for example, groups have a property “ManagedBy” and “msExchCoManagedByLink” which contain owner information.

@Yeswanthg I do not believe this capability is present in the system currently. As I think about schema, there are the “ID”, and “entitlement” properties which can be associated with source attributes. It seems like this might work by having an “Owner” flag that can be assigned to a specific schema attribute - but it would also require correlation rules.

Short of that, I imagine we wil have to write an external script to pull the info from the directory and populate it in SailPoint on a regular basis.

Thanks for responding @rmccoy-unum.
I tried modifying group schema but seems no effect and external script was what I thought too.
I am also meeting with Patrick and keep you update if I hear anything different.