Role managing Manually assigned entitlements

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Is the following statement accurate or is there a use case where it would be?

If an account that belongs to an Identity was assigned an entitlement “manually” at a source before a role was assigned to the Identity, than the role will not have provided that specific entitlement to the account as it would have already been assigned. This would mean the entitlement would need to be removed from the account manually, and then readded via a role evaluation if you would like to role to control the access to that entitlement.

If this is the case, then do I need to

  1. For a new role, remove all the entitlements defined in the role from every account ; This will allow the role to re-assign the entitlement and manage it.
  2. Periodically, do step 1 to ensure every entitlement is properly managed by the role.

My understanding of managed entitlements by a role is

  1. If the they no longer meet the role criteria, then the entitlement(s) will be removed. Regardless on how the account initially received it.

  2. In a certification, the role will encapsulate all the access including entitlements. Only the role will appear.

Steve

2

When a user loses a Role, all the Entitlements bundled under the role, either directly or via Access Profiles, will be removed. However, if any of the entitlements were assigned via Access Request then they will be reassigned. Same is applicable to Roles and Access Profiles.

So, you don’t need to do what you have described above. In fact, I would highly recommend not to do it as users would lose their accesses in end systems until they are reassigned with those accesses.

entitlements will be reassigned if they were granted via Access Request

Yes, if you picked the Roles while creating the campaign