8.3
I’m currently implementing Polices for one specific Application.
The application has 4 entitlements which are mutually exclusive.
We want to implement it using a AdvancedPolicy, but only the EntitlmentSoD policy seem to allow direct revoking in the PolicyViolation page.
Is there any way to achieve this behavior using AdvancedPolicies?
Thanks
Hello, you can look at the link below, it might be helpful
https://community.sailpoint.com/t5/IdentityIQ-Wiki/Implementing-advanced-policy-using-filters-and-rules/ta-p/75675
Thanks for the suggestion, but the provided link doesn’t give any help regarding how to modify the type of pop up that appears after clicking “revoke” for the AdvancedPolicy policyViolation.
I will keep researching a bit.
Ok I will deploy the same use case locally and let you know
@tmamouros I don’t think it is possible. In EntitlementSOD, IIQ knows exactly which two entitlements conflict because we defined them in the Policy, while in AdvanceAnalytics constraints could be based on any attribute or any other logic based on inactivity, etc.
But what you can try configuring a PolicyViolation workflow where you can preset a custom form with field to show the entitlements and operation: allow and revoke, based on the options selected in the form, you can remove the build the plan and remove the entitlement.
Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(
,
, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
I will give it a try, thanks. I haven’t experimented much with workflows yet so it will be interesting.
