We have basic questions related to SailPoint IIQ SOD Advanced Policies. Below is the business requirements that we are looking to fulfil.
Ability to exclude the policy violations for C-suite team. (e.g., role = CIO). (We suppose we do not have any option but to go for Advanced Policy as there is no option to “Not Equals condition for policies in Entitlement SOD”)
AND
Add the set of conflicting entitlements like this:
Entitlement : ‘Admin’ does not go with entitlement ‘RO’ and entitlement ‘RW’. How do we add this combination in advanced policy using match list?
i. E.g., user is already having an access to Admin and tries to raise an access request for RO but SailPoint IIQ still does not show the policy violation with the below config.
Grouping to simulate 2 entitlement set also does not seem to be working,
e.g., user has Admin entitlement and tried to submit request for RO then SOD detected. Same user with admin entitlement tries to submit request for RW no SOD detected
If you have implemented any such use case using SailPoint IIQ SOD Advanced Policies for 2 entitlements, could you please share config details or screen shot.
For advance policy you can write rules to support your requirements but mind that you will not be able to use revoke buttons like you can do using the ootb entitlement or role sods.
If you want to enable approve revokes options as well then it will require a lot of work for you to write a workflow to handle the policy violation and create xhtml and attach it to you policy workflow for use.
We are looking for scalable solution. We have 2K+ applications with different policy requirements and for each of those we have to add criteria condition that exclude c-suite team. How can we achieve entitlement set feature like entitlement SOD here in Advanced policy to fulfil the requirements as mentioned above for conflicting entitlement set.
As I suggested earlier similar functionality won’t be available for the advanced sods. You will only get approve button.
If you want to achieve this can you have to create your own policy template using xhtml and write some java classes along with the sod policy workflow handler which will require a lot of development work and maintenance with every upgrade.
One idea I could suggest it you can create business roles which are not assigned to c-suite employees and you can perform sod analysis using role sod policy
Right now we are not looking for revoke button options. But original problem listed in the question is that the policy detection based on two entitlement set using matchlist conditions is not working as expected.
If anyone have tried this without rules code please let us know. Please refer to the details mentioned in the post for the detailed use case. (Rule Is not an option for us as we have 2k+ apps)
Can you try not grouping the single field (group name = admin).
Advanced policy is not SoD so there won’t be a concept of “conflicting” access table (left and right), instead the policy criteria is evaluated as a whole once before applying the changes once after (during LCM as preventive) and only once during refresh/detective phase.
I have done similar setups for violations which worked as expected
What Bhuvanesh has suggested is one way to acheive it by putting filters in the refresh tasks and workflows to avoid getting it evaluated for the user you don’t want it to be triggered for.
Another possible solution is to develop a policy executor plugin that facilitates your requirements. Since it is for 2000+ applications as you stated this work can be done once and used across all the different applications as needed.
I had it developed in one of my previous project but can’t share the code since it is a property of the organization.
Thanks
Hi @pradeep1602 thank you for responding. We are also planning to proceed with no code option and leverage the filter capabilities in the identity refresh task to do the job.
