Provisioning Criteria for Multiple Accounts (Request Access)

Hello,

We have a requirement in which we’d like to leverage the use of " Provisioning Criteria for Multiple Accounts" for the access requests. We’d like to be able to manually request access for an identity with more than 1 account in a single source, but when trying it, we get an error although the " Provisioning Criteria for Multiple Accounts" is properly configured in the requested access profile.

As per the documentation, it seems it is only applicable to lifecycle status changes and role changes, and it doesn’t seem to work for manually requesting an access. From our point of view, it would make sense to have this capability, as IDN allows an identity to have multiple accounts in a single source. Has anyone faced to this situation? Is there any solution to make this work?

Thank you in advance!

I just noticed it is an old post after responding, but if someone is still looking for an answer, We encountered a similar situation and came up with a solution by setting up various sources for each account type and implementing appropriate filters to categorize groups and accounts.

To make this system effective, we assigned a specific attribute to the account schema to distinguish between different types of accounts for a single identity, such as admin, test, primary, and secondary accounts. Moreover, we ensured that the access profiles and entitlements had clear and descriptive names to help end-users understand their requests will grant access to the appropriate account.

Example: Primary Source 1, to aggregate / provisioning of type primary accounts and respective entitlements.

It may not be possible to solve the issue of differentiating between account types and group types without proper indicators in place on the account schema. This is because when requesting an access IDN, there is no way to determine which account needs to be provisioned for the requested access.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.