Hi @alec
I wonder if ensuring there are descriptions to entitlements should be a responsibility of an IGA solution such as ISC. After all, in contrast to access profiles and roles, which are objects defined in ISC, entitlements are foreign objects, representing access on third party applications. The third party applications should be responsible of having access items with proper value and display names and descriptions. We can then perform entitlement aggregations to load this data. The knowledge of what the entitlements represent and mean is therefore known on the third application, making it more difficult to an AI to generate proper descriptions. In addition, if changes are being made, they are being made on the third application. If we add descriptions on entitlements in ISC, it is not visible in the place of origin, which is the third party application.
I see a low amount of comments and likes here compared to other announcements such as New Capability: Role Change Propagation and New Capability: Remove All Access on Termination. Also I am not seeing anything like this in the idea portal. Perhaps this also demonstrates that that there are better topics to focus on for ISC and better functionality to build or enhance rather that this functionality.
To offer a suggestion which I think actually adds value, in the entitlement schema you can select which field represents entitlement id and which one represents entitlement name. But you can not select here which field represents the description or which field represents the entitlement owner (another data field which we should be able to aggregate automatically during entitlement aggregation and provide owner correlation logic)
Another topic which would add value is this idea from 3 years ago, which has over 200 votes https://ideas.sailpoint.com/ideas/GOV-I-2068, to allow us to delete entitlements that don’t exist anymore in the third party application. Sometimes entitlement aggregation deletes entitlements that don’t exist anymore, but this is not always the case, meaning we have representations of entitlements in ISC that don’t exist anymore in the third party application and we can currently only get rid of this by resetting all entitlements of this source, but this means all access profiles for entitlements we still need will be deleted as well.
So in summary: I would argue that adding descriptions to entitlements should not be a task for an ISC solution, should be performed on the target application itself, and instead of offering AI descriptions, which operate on limited information and therefore can not give good recommendations, I suggest you to add functionality allowing source owners to update the entitlement schema in the UI and specify which field represents the description, and allowing us to delete individual entitlements, both of which can properly help us decreasing the amount of entitlements without descriptions.
Kind regards,
Angelo Mekenkamp
Identity Security Cloud has added a MySailPoint widget that shows sources with blank entitlements!
