I am looking to run a certification campaign on Identities from the Contractor Identity Profile that are active but only want to certify their entitlements from a specific source (AD in this scenario).
I have not been able to come up with a search query or way to narrow it down in the campaign features. Is this even possible in Sailpoint? It seems I can select the right identities but not easily narrow to just one entitlement source OR select an entitlement source but not easily narrow to just Contractors.
The below accurately gets me active/noaction Contractors with an active AD account. But we have thousands of entitlements and the “Identities” selection when creating a new campaign doesn’t let me quickly filter to just one entitlement source.
identityProfile.name:contractors AND attributes.cloudLifecycleState:(active OR noaction) AND @accounts(source.name: “Active Directory” AND disabled:false)
So this works in the sense that it gets me all the Identities that have access in the AD source, but it doesn’t narrow down the access certified to just that access.
I can filter the entitlements shown below to just “Active” but the problem is IDN caps at 10k results and we have far more than that so not all are showing up. Very frustrating limitation.
yes, I am running a campaign type of Identities but I am only wanting to certify the identities entitlements from a specific source which doesn’t seem to be possible. When I run the query adding the access source like above and check what access is included it still includes Azure AD access which I do not want to certify for these identities. I can’t select just the Active Directory entitlements because of the 10000 limit IDN has, it would miss too many of the Active Directory entitlements.
Essentially all I want to certify is all contractors Active Directory entitlements and nothing else.
This is an interseting topic we also have in my company.
To do “double filtering” (on identities + on access), we had to do it using the API or with Selenium to select all the entitlements from AD using script in the UI of IDN.
For the API, we are using this one : create-campaign | SailPoint Developer Community
We are using a SEARCH type and after puting a searchCampaignInfo with a query to select the identities, and then accessConstraints. But there are limitation on accessConstraints on the number of elements to select (max 1000) and you have to put the ids (you cannot put a query here from what we know).
I think we will raise an idea on this specific need to SailPoint, because it seems to us to be quite “basic” to be able to filter the identities and the elements of the campaigns using filters.
Thanks, I opened an expert services case to see if there was any creative solutions for this as well.
I am a little shocked to see it’s an all or nothing methodology here as we are a huge org and this would be an insane certification campaign without being able to narrow down.
We may actually just do a flat file source of what we need to certify and bulk do the revokes with a powershell script after we collect all the answers. Really painful but better than asking managers to review access for thousands of items we don’t need them to.
After downloading and installing Ruby I created a new folder to store the config and input files downloaded from the bottom of the Sailpoint link above.
Updated the config file with a PAT ID/secret and baseUrl for my tenant. The rest of the info in the config file reads from the input file so I left it as is.
The input file I used is attached. Update as needed. The two queries I needed are in their appropriate column, one for Identities one for Entitlements. I also changed the default “ACCESS” type to “IDENTITY” type and turned email to FALSE so I could make sure I didn’t send anything out by accident. input.csv (433 Bytes)
After all was setup I ran a regular CMD as admin and navigated path to where I stored the downloaded files (I created a new folder on C for RubyConfig and dumped them there). Then ran the command “ruby generate.rb”.
After waiting a few minutes it ran and generated a preview in the IDN GUI. From here I can kick it off and run reports as normal!
