Privileged Tag No Longer Being Inherited By Roles with Privileged Entitlements?

Identity Security Cloud (ISC) ISC Discussion and Questions
, , , , ,
1

Has something changed in the Searchable Fields functionality? The description for “privileged” in “access” under “Nested-Level Fields for Identities” says this:

“For access items that are not entitlements, this boolean describes whether the access item contains an entitlement that is marked as privileged.”

This appears to no longer be the case because I was previously able to find roles that have privileged entitlements by simply saying “privileged:true” in my query. See more details below.

I had created a workflow that detected a change in an identity’s attributes and removed any roles containing privileged entitlements assigned to the identity and then created a certification to review the identity’s remaining roles. I was using an HTTP Request action in the workflow to do a Perform Search API to find the privileged roles to remove with the following body:

{
  "indices": [
    "identities"
  ],
  "query": {
    "innerHit": {
      "query": "type:ROLE && displayName:Exception_* && privileged:true",
      "type": "access"
    },
    "query": "id:{{$.trigger.identity.id}}"
  },
  "queryType": "SAILPOINT"
}

Now, this no longer returns anything when a user has a role with privileged entitlements. This is critical functionality for us and I need to know why this is no longer working and what the alternatives are for this.

2

Hi,

I am not sure how this worked previously. But currently when I try this API its only returning entitlements not roles.

Also you can try this using workflows by Get Roles Action. Get the roles of an identity, loop through them and check if its privileged and remove the same.

-Abhinov

3

I don’t think that works… I would have to have a nested loop which doesn’t seem to be possible in the workflow. I’d have to get the roles assigned to the identity and loop through each of those and then loop through each of the entitlements within those roles to find which entitlements are privileged.

Please correct me if I am wrong, but that does not seem possible. It appears that the “privileged” attribute is no longer applied to roles at all.

4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.