Hi SailPoint Community,
We are currently working with the SAP Direct Connector and are trying to design a more controlled and automated approach for administrative access certifications.
Context
- SAP roles are aggregated as entitlements via the SAP Direct Connector.
- Each role contains one or more Authorization Objects.
- We need to run a certification campaign that includes only roles related to administrative access, identified by specific Authorization Objects.
Challenge
We are looking for a supported way to filter entitlements during campaign creation based on the presence of specific SAP Authorization Objects inside the role.
For example:
Has anyone in the community implemented something similar?
More specifically:
- Have you successfully filtered SAP roles (aggregated as entitlements via the SAP Direct Connector) based on specific Authorization Objects in order to use them in certification campaigns?
- If so, how did you design this solution? Did you rely on search configuration, custom rules, or another architectural approach?
We are especially interested in understanding real-world implementations and recommended patterns.
What we’ve tried so far
- SAP BuildMap Rules
- Metadata
- Workflows
However, we need a reliable and scalable solution that ensures newly aggregated roles are consistently identified and included when they match predefined Authorization Object criteria.
If anyone has implemented something similar — especially involving SAP Authorization Objects with the Direct Connector — I would really appreciate your insights or recommended design patterns.
Thank you in advance.
Best regards,
Richard Rocha