Right-Sizing entitlement membership after creating a role

Howdy.

Question: Will SailPoint automatically remove users from a pre-populated entitlement?

We have just received the new IDN functionality to allow Entitlements to be added directly to Roles (without the need for an Access Profile). I have an assumption, but I want to be sure I am correct. Does this logic make sense?

Let’s assume that I have an Entitlement (AD Group) with a 6 members. It’s based on Location, but has never been maintained. It consists of users from all over the globe.

I build a Role. I configure Access to my Entitlement. I do not touch Access Profiles. Then I Define an Assignment “IDN Attribute ”.

Will SailPoint remove users who don’t meet this criteria?

Creating a role will not remove access from existing users that have those entitlements. Only if the user meets the role criteria and then later no longer meets the criteria will the access be removed.

@RPook here Sailpoint recommandation for access remove via role

You must create a new rôle with same criteria with new requiring access and change existing rôle criteria. idn detect that user not meet old role criteria and revoke this rôle and associated access.

Thanks for the info. Is the same scenario true if we were to use Access Profiles with Roles?

EX: Support Rep adds a User to GroupA via ADUC.
GroupA is an Entitlement managed under AccessProfileA.
The criteria is defined via the Access Profile, not the Role

Hi Ryan,

Yes, the same scenario applies if you are using access profiles with roles.

1 Like

Thank you for the input. Are there any suggestions or best practices to prevent/alert/remove users who are side-loaded by people/scripts/applications via ADUC?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.