Role Provisioning and Certification for Identities having Multiple Accounts

IdentityIQ (IIQ) IIQ Discussion and Questions
, , ,
1

Which IIQ version are you inquiring about?

8.3

Share all details about your problem, including any error messages you may have received.

I have an application for which I am performing provisioning and certification action on roles. Identities have multiple accounts for this application.

I have an account selector rule attached to each bundle. Following are some questions/issues I am facing.

  1. During account aggregation, the IT roles are detected for only one account. For example Account A and Account B has entitlements, that result to Role A. Then only one account (either Account A or Account B ) would be shown as detected.
    Question: Am I missing the account selector rule or is there any extra step to be included such that SailPoint doesn’t do this?

  2. During certification, because IT roles are included marked as Required under Business roles, only Business roles are included in the targeted certification. Leading to issue where no account name is visible. And once signed-off, my account selection rule is incapable for Identities having multiple accounts, as I am unable to select proper account because no NativeIdentity value is passed in the certification provisioning plan. So does anyone have any solution for this issue?

Appreciate any help. Thanks!

2

Hi @zeel_sinojia - What type of connector is it and what distinguishes the multiple accounts from each other? (example: regular user vs admin user)

3

Delimited connector.

To simplify consider application account schema consists of UserName, Email and Entitlements. For user having multiple accounts, email will remain the same, username will be different based on the entitlements they have. Based on the entitlements we want SailPoint to detect roles.

So if user has 2 account likely,

UserName, Email, Role
zeel_admin, [email protected], Admin
zeel_view, [email protected], Admin
zeel_view, [email protected], View

So I should see IT roles attached like

  1. Admin IT Role - zeel_admin
  2. Admin IT Role - zeel_view
  3. View IT Role - zeel_view

But the duplicate roles to different account (No. 1 & 2) are not getting populated. This I have seen for identities having multiple accounts as well. No role is assigned twice.