I have a question about how Role Assignment Criteria works when using Entitlement Type, especially for identities with multiple accounts on the same source.
Scenario
I configured a role using Define Assignment.
In the criteria, I used Entitlement Type.
Example:
If a user has entitlement 123entitlement from Source A, the role should be automatically assigned.
Question about multiple accounts
Now, consider this case:
The same identity has two accounts in Source A (Account B and Account C).
Which account is evaluated for the entitlement condition?
In other words:
Does the role get assigned if either account (B or C) has 123entitlement?
Or does the entitlement need to exist on a specific account?
Why I’m confused
I originally assumed that:
As long as the identity has 123entitlement on any account in the source,
the role would be assigned.
However, based on what I’m seeing in actual behavior, this does not seem to be the case, which is why I’m asking.
Any clarification or best practice guidance would be greatly appreciated.
The role assignment criteria is the first option you discussed as ISC doesn’t differentiate between multiple accounts for criteria evaluation, ie : if the identity has the entitlement and that entitlement is from the same source you selected (regardless of the account), the role is granted.
As for your tests, you might need to clarify further how you were testing the assignment.
@sxxnex
First things first, sometimes entitlements can be duplicated so make sure the technical ISC ID of the entitlement “456” is the same between the identity and the role config and if that’s the case run a global role “apply changes” and then after it finishes, you can run a couple of process identity and check. If that’s not working, you might need to create a ticket.
@sxxnex I believe that SP cannot really distinguish on which account should access be granted, if there are multiple accounts on the same source. Please perform some further testing as @WhiteBat suggested.
Other than that, you can try the following workaround: Create another separate source and provision the second account on that one (that way, you will be able to choose the entitlement from the second source as an criteria, which will do the provision on the second account).
Happy to hear from other members if there’s any more convenient solution than this.
The easier option as @markomanium mentioned is Creating another source and managing it. That’s how i am managing multiple AD accounts for the same identity.
I am wondering on the Multiple Account Options that ISC has provided in Access Profiles. Doesn’t that work here ?
Thanks for the suggestion.
We’re trying to keep a single source, since there is only one system managing the entitlements, and it feels more appropriate for us to manage it that way.
As far as I understand, the Multiple Account Options in an Access Profile only take effect after a Role that contains the AP is assigned.
Since the Role itself is not being assigned in our case, we don’t really get a chance to leverage those options.
Also, it seems there’s no way to auto-assign an Access Profile by itself without going through a Role.
