Hi Folks,
I have some unwanted entitlements in my application source and wants to remove them while keep existing intact.
Tried to download the Entitlement Schema but nothing in the extract comes in. How i can remove them from the Entitlements section.
Existing Entitlements:
AD Account Role
ADD Accounts – want to remove
AD Sample accounts - want to remove
Thanks
Hi @msingh39 ,
Are you using AD? If yes, you can use an LDAP filter to prevent those accounts from being aggregated into SailPoint. If you are not using AD, please let us know which source you are dealing with.
Thanks.
Thanks, its a delimited source from which want to remove.
You can download the account export and remove the unwanted entitlements associated with the accounts. Also, export the entitlements separately and remove them there as well. After making the changes, re-aggregate the accounts and entitlements.
Account removal is fine but extracting the Entitlement and updating sheet back under “Entitlement” option does not work well. The Ent is still exist there.
Hi @msingh39 ,
Kindly follow below steps :
Remove the entitlement from the sheet. Also remove it from the accounts.
Thanks for crafting that steps. I did exactly the same steps, but the Entitlements are still there. Attached is the screenshot, NADM I want to keep and remove ADM ones.
Are the entitlements part of an existing certification or associated to a role or access profile?
yes part of Access profile but somehow not able to remove that.
Is the access profile part of a certification, associated with an identity profile, or role?
Are you able to remove the entitlement from the access profile or to delete the access profile?
Is the access profile requestable? Are there pending requests for the entitlement or access profile?
Hi @msingh39 ,
Can you try to do reset entitlement and then do entitlement aggregation.
Thanks
Hi @msingh39
if you have followed all the steps mentioned by other developers then do step by step
As you mentioned that schoema download is empty, first perform an Entitlement Export from the Entitlements page or you can use the List Entitlements API to get the full list of with the existing IDs.
Create a CSV file containing only the entitlements you wish to keep.
If you are using a Delimited File connector
Upload your cleaned CSV file with the entitlements you want.
Trigger an Entitlement Aggregation
Note-Make sure not Account Aggregation.
with Account aggregations it will never delete entitlements. Please let us know if it works.
I do not recommend resetting the entitlement on the source as any access profiles, roles, or anything else with any entitlements from that source will be affected. This could be disastrous for large environments with the amount of work needed. and not something to do in production in my opinion. If others have experiences, otherwise I would be very interested in your approach.
Hi @ts_fpatterson Thank you for sharing your perspective. I agree that resetting the entitlement on the source could have a significant impact on access profiles, roles, and other dependent configurations, especially in large environments. We will definitely avoid making such changes directly in production. We are currently reviewing alternative approaches and will ensure proper validation in a lower environment before considering any changes. I would also appreciate hearing if anyone has implemented a safer approach in similar scenarios.
Hi @suraj_gorle Were you able to find any alternative approach for this?
