Role Composition Certification

jfree05 · October 28, 2025, 7:31pm

Which IIQ version are you inquiring about?

8.4 P2

Please share any images or screenshots, if relevant.

[Please insert images here, otherwise delete this section]

Please share any other relevant files that may be required (for example, logs).

[Please insert files here, otherwise delete this section]

Share all details about your problem, including any error messages you may have received.

My team is looking at implementing a yearly Role Composition Certification. In testing this cert type it appears that you can only review the entire role all together and revoke or approve it all together. Looks like it then opens a work item to work with the role owner to make needed updates. The cert itself does not allow you to revoke or approve the individual entitlements the role grants access to. Does anyone know of a way to setup a Role Composition Cert that allows you to revoke/approve all of the individual entitlements contained within roles? Is the only option to require comments on revokes and have the owners list what entitlements they would like removed? Thanks!

SanjeevIAM · October 30, 2025, 4:58pm

What type of Role are you including in your certification. If you do role composition certification on IT roles it will have each Entitlement Profile listed for review where someone can take Approve or Revoke action

jfree05 · October 30, 2025, 7:01pm

I have tested using IT roles. The certification displays the role and its associated entitlement profiles. We can view details on the entitlement profiles and see the individual entitlements. The issue we are running into is that we can not take action on the individual entitlements. The only option is to approve or revoke the entire entitlement profile where we would like to approve or revoke the individual entitlements within that entitlement profile.

SanjeevIAM · October 30, 2025, 8:01pm

Your observations are correct. The only solution may be to have one entitlement per profile. This may not be the right approach for you if you already have these roles and you do not want to put effort to reconfigure the roles.

jfree05 · October 30, 2025, 8:07pm

That was my assumption! Thanks for the replies!

zeel_sinojia · October 31, 2025, 10:01am

Hey James,

I faced the exact same issue not so long ago. Unfortunately, there is no way to have individual entitlements as certification items.

We also thought of doing something similar to Sanjeev’s idea, but the issue business raised was readability. One entitlement per profile does let you make decisions directly on the entitlement, but the certification screen will still read something like, “Entitlement profile for Application.” Having these entries multiple times will just confuse role owners.

Something we did, which is not the answer to your question but was a way to make life easier, was to add custom columns and use evaluators to populate the columns with entitlement values. This reduces the effort required to check individual profiles. As part of the same effort, we also developed a plugin to show custom messages on the certification screen, informing them to add comments while revoking if they want any modifications and not total revocation of the existing entitlement profile.

jfree05 · October 31, 2025, 2:28pm

Unfortunately we have way too many roles and most with many entitlements so creating individual entitlement profiles for every entitlement is not really feasible for us either.

“Something we did, which is not the answer to your question but was a way to make life easier, was to add custom columns and use evaluators to populate the columns with entitlement values. This reduces the effort required to check individual profiles.”

So this solution added additional columns within the initial screen in a reviewers cert with all of the contained individual entitlements? Reviewers would not have to go into the “view details” window to see what entitlements each entitlement profile provides access to? That would be a much better solution than the out of box option. Could you provide additional details on how you all were able to do that?

“we also developed a plugin to show custom messages on the certification screen, informing them to add comments while revoking if they want any modifications and not total revocation of the existing entitlement profile.”

Could you also provide additional details on how you were able to do this?

Thanks!

zeel_sinojia · November 3, 2025, 6:25am

yes, additional columns will show the individual entitlements on the initial screen with the assumption that if they need more information i.e., description and anything else they can check that through “view details”.

For the Custom Column

We did this using a custom evaluator, and it all starts in the UIConfig file.

1. Add the ColumnConfig in UIConfig

First, you’ll need to add a <ColumnConfig> to all the UIConfig attributes related to Role Composition Certifications. Here’s the one we used:

<ColumnConfig 
  dataIndex="IIQ_RoleCompEnts" 
  evaluator="sailpoint.web.view.certification.RoleCompositionCertificationEntitlements" 
  groupProperty="IIQ_RoleCompEnts" 
  headerKey="Entitlement(s)" 
  minWidth="100" 
  percentWidth="10" 
  property="IIQ_RoleCompEnts" 
  sortProperty="IIQ_RoleCompEnts" 
  stateId="IIQ_RoleCompEnts"
/>

Make sure to add this to the following attributes:

uiRoleCompCertificationItemReturnedItemsColumns
uiRoleCompCertificationItemWorksheetColumns
uiRoleCompCertificationExportColumns
uiRoleCompCertificationItemDetailViewReturnedItemsColumns
uiRoleCompCertificationItemDetailViewColumns

2. Create the Evaluator

See we mention the evaluator(custom Java class) which would return String as the response. You can also have it return other data types but you would require a renderer, but keeping it simple we are returning CSV.

Our evaluator class (RoleCompositionCertificationEntitlements) extends CertificationItemColumn and implements the getValue(Map<String, Object> row) method.

This getValue method gets called for each line item in the certification, giving you the data for that row as input. To keep things simple, we just returned a comma-separated String of the entitlements. You can return other data types, but that would require a custom renderer.

The basic logic in our code was:

Read the targetId from the input row object.
Check if the target is an entitlement profile.
If it is, fetch the entitlements it’s composed of and add them to a list.
Finally, join the list into a single string and return it.

More details on the UI Customization: UI Customization with UIConfig

For the On-Screen Messages

To handle the on-screen messages, we developed a simple plugin.

The plugin runs on the certification screen and uses JavaScript to either inject our messages into existing HTML elements or create new ones entirely. For example, we added a pop-up that appears when a user first loads the certification.

We took inspiration from an existing plugin for this part. Link: Certification Campaign Banner Plugin

List of all the SailPoint and community plugins: IdentityIQ Plugins-Compass

HTH! Let me know if anything is unclear.

jfree05 · November 4, 2025, 8:27pm

Great! Thanks again for all the additional info!

Topic		Replies	Views
Roles Certifications IIQ Discussion and Questions identityiq , certifications	3	73	August 9, 2025
Display individual Entitlements in Role Composition Certification IIQ Discussion and Questions identityiq , certifications	4	57	May 4, 2026
Certify IT Roles IIQ Discussion and Questions identityiq , roles , certifications	4	160	December 14, 2024
Manager Certification not showing entitlements from detected roles IIQ Discussion and Questions identityiq , roles , certifications , entitlements	14	120	May 9, 2026
Role Composition Certification - Name and Description ISC Discussion and Questions identity-security-cloud , certifications	2	125	December 16, 2025