RBAC - Alter access for a user that is part of RBAC

Which IIQ version are you inquiring about?

8.4

Share all details about your problem, including any error messages you may have received.

We have created RapidSetup Birthright roles based off the identity’s job title. We periodically have a scenario where the identity that receive their access via the birthright role need one of the entitlements assigned replaced with another entitlement. We found if we request the new entitlement, it will update the role assignment in the target system but once the refresh identity task runs, it will revert the access back to the entitlement associated with the birthright role. Is there a way to use birthright roles but be able to alter access when needed. Basically, grant the entitlements upon identity creation but afterwards, allow access to be altered.

Hi @sonia_mcdonald

To avoid entitlements being reverted during identity refresh, we recommend assigning birthright entitlements only once during user onboarding using a rule (e.g., Lifecycle Event rule/ Identity Trigger rule), rather than attaching them permanently to a birthright role. This allows the entitlements to be granted at creation, but gives you the flexibility to modify or replace access later without SailPoint reverting the changes.

For more details, please refer to the official documentation:

Thank you for the suggestion. This sounds like what we exactly need. I will share with our team.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.