Quicklink Population: Filtering what a user can select to remove

brownric · July 9, 2024, 5:54pm

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

In our instance, we have entitlements show up on the remove access page for users that we are currently not ready for Identity IQ to automate, so it creates manual tasks. We have them not requestable so that can’t be requested on the add access page, but would like to have them filtered out on the remove access page so they cannot be requested for removal. I’ve tried to make a rule similar to the one described here Creating a way for a manager to only request specific entitlements and roles, but no success.

We currently only have two applications that have entitlements, AD & Epic, we want to hide all entitlements tied to the Epic Applications from the Remove Access screen.

Thank you ahead of time for any help and guidance.

enistri_devo · July 9, 2024, 6:23pm

Hi @brownric,

you need to set RequestObjectSelector rule in your quicklink population for entitlment in remove section:

In this rule you need to create a filter with your conditions, put in a QueryInfo and return it; this is enabling rule, so you must create you filter for application != Epic (or somenthing else).

Check if the accoutn that you use are not quicklink conflict.

If you can, share your rule and logs and we’ll fix it together

brownric · July 9, 2024, 6:29pm

Here is where I started with the rule, so that it would only show entitlements within Active Directory. and I tried setting it for both Applications and Entitlements rule.

  <Source>

  import sailpoint.object.Filter;
  import sailpoint.object.Identity;
  import sailpoint.object.QueryOptions;
  import sailpoint.object.QueryInfo; 

  Filter entFilt1 = Filter.eq("application.name", "Active Directory-M01");

  QueryInfo finalQueryInfo = new QueryInfo(entFilt1, false);
  return finalQueryInfo;

  </Source>```

enistri_devo · July 9, 2024, 6:48pm

the rule is ok, which user are using for the test?
Enter in Sp with a no-admin user and assing it (or his group/population) at this quicklink

brownric · July 9, 2024, 7:29pm

Basic user, the rule is applied to the Everyone Quicklink Population,

Logged into SP as the basic user with no SP Admin Privileges
Went into Manage User Access
Selected a user that I know has Epic Access Entitlements
Went into the Manage Access Screen
Selected the Remove Access Section
Epic Entitlements still show in the list, and can be selected and submitted for removal.

enistri_devo · July 9, 2024, 7:52pm

ah ok, dont use Everyone. Is not explicit but Everyone is a particular quicklink.

also i find this topic of user with same problem and he explain a solution.

Can you try to create a new quickliks and disable Request Access in Everyone?

And is very important this part:

be sure you account is only in the new quicklink

brownric · July 9, 2024, 8:23pm

That was it. Thank you so much!!

system · September 7, 2024, 8:24pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Excluding the entitlement from Remove access page IIQ Discussion and Questions	3	1256	July 19, 2023
I'm not able to see the entitlement that user is part of in Manage User Access Page (Remove section) IIQ Discussion and Questions identityiq , access-requests	7	1281	July 25, 2023
Set Entitlements to non-requestable if no longer in target application IdentityIQ (IIQ)	0	724	June 27, 2022
Include Entitlements part of Roles in Remove Access Requests IIQ Discussion and Questions identityiq , lifecycle-management , entitlements	7	52	October 13, 2024
Request wipe out IIQ Discussion and Questions identityiq	4	71	August 4, 2024

Quicklink Population: Filtering what a user can select to remove

Which IIQ version are you inquiring about?

Share all details related to your problem, including any error messages you may have received.

Related Topics