Remove Entitlement from Source (Application)

Hi Folks,

I have some unwanted entitlements in my application source and wants to remove them while keep existing intact.

Tried to download the Entitlement Schema but nothing in the extract comes in. How i can remove them from the Entitlements section.

Existing Entitlements:

AD Account Role

ADD Accounts – want to remove

AD Sample accounts - want to remove

Thanks

Hi @msingh39 ,

Are you using AD? If yes, you can use an LDAP filter to prevent those accounts from being aggregated into SailPoint. If you are not using AD, please let us know which source you are dealing with.

Thanks.

Thanks, its a delimited source from which want to remove.

You can download the account export and remove the unwanted entitlements associated with the accounts. Also, export the entitlements separately and remove them there as well. After making the changes, re-aggregate the accounts and entitlements.

Account removal is fine but extracting the Entitlement and updating sheet back under “Entitlement” option does not work well. The Ent is still exist there.

Hi @msingh39 ,

Kindly follow below steps :

1. Export the accounts and entitlements.
2. Download the entitlement schema.

image1560×386 13.7 KB

image1106×256 6.38 KB

5. Remove the entitlement from the sheet. Also remove it from the accounts.

   

   image929×192 3.96 KB
   
   6. Save it and aggregate the file by uploading in entitlement aggregation tab. Also reaggregate the account aggregation by uploading updated accounts sheet.
   

   image1552×815 35.7 KB
   
   7. click on entitlement tab there you will able to see aggregated entitlements.
   Before:
   

   image800×398 51.1 KB
   
   After:
   

   image1919×826 47.1 KB
   
   Please give it a try and let me know if you find any difficulty doing so.
   Thank you.

Thanks for crafting that steps. I did exactly the same steps, but the Entitlements are still there. Attached is the screenshot, NADM I want to keep and remove ADM ones.

image1510×205 6.52 KB

Are the entitlements part of an existing certification or associated to a role or access profile?

yes part of Access profile but somehow not able to remove that.

Is the access profile part of a certification, associated with an identity profile, or role?

Are you able to remove the entitlement from the access profile or to delete the access profile?

Is the access profile requestable? Are there pending requests for the entitlement or access profile?

Hi @msingh39 ,

Can you try to do reset entitlement and then do entitlement aggregation.
Thanks

Hi @msingh39

if you have followed all the steps mentioned by other developers then do step by step
As you mentioned that schoema download is empty, first perform an Entitlement Export from the Entitlements page or you can use the List Entitlements API to get the full list of with the existing IDs.
Create a CSV file containing only the entitlements you wish to keep.
If you are using a Delimited File connector
Upload your cleaned CSV file with the entitlements you want.
Trigger an Entitlement Aggregation

Note-Make sure not Account Aggregation.

with Account aggregations it will never delete entitlements. Please let us know if it works.

I do not recommend resetting the entitlement on the source as any access profiles, roles, or anything else with any entitlements from that source will be affected. This could be disastrous for large environments with the amount of work needed. and not something to do in production in my opinion. If others have experiences, otherwise I would be very interested in your approach.

Hi @ts_fpatterson Thank you for sharing your perspective. I agree that resetting the entitlement on the source could have a significant impact on access profiles, roles, and other dependent configurations, especially in large environments. We will definitely avoid making such changes directly in production. We are currently reviewing alternative approaches and will ensure proper validation in a lower environment before considering any changes. I would also appreciate hearing if anyone has implemented a safer approach in similar scenarios.

Hi @suraj_gorle Were you able to find any alternative approach for this?

Tried again but same behavior. Also when I did Entitlement aggregation, it created another entry with same name but the Type is “group”.

Hi @msingh39 Have the entitlements that you can’t delete been detected from accounts being members? You can’t delete detected entitlements, that is standard ISC functionality.

Yes, those are not part of any access profile or identities. So what happening is:-

I followed below steps but after using the existing Ent entries, it created another one with same name but Type as Group. But the others didn’t get deleted which is not having any identities or AP tagged.

Also, the ID details mentioned in below screenshot, does it actual ID for that Ent OR we have to put same name as ENT?

• Paste all entitlement in entitlement schema sheet.

image1106×256 6.38 KB

• Remove the entitlement from the sheet. Also remove it from the accounts.

  

Hi @msingh39 Apologies, I’m not sure I understand. I asked whether the entitlements have ever been detected on an account. If so they can’t be deleted.

Fix your accounts schema to begin with. Post both schemas here. I think your accounts schema is using entitlement as entitlement type as opposed to group type.