Search Certification configuration doesn't show all access available

gmilunich · February 14, 2024, 2:34am

What problem are you observing?

If you are doing an Identities Search Certification started from the [ Search → Certification Campaign → New Campaign → Identities ] screen, it is possible that the system will miss access if you choose to do Refine Access Items and more than 10,000 entitlements are found on the users returned by the query. If you use the filter search box to try and limit the returned values, it will only return those that match from the initial 10,000 found, not the complete list. There is no way to access the remaining items in the list either, as there is no Filters button like the Entitlement admin window has

What is the correct behavior?

When you use the filter search box to limit the results, it should search all entitlements found, not just the initial 10,000 returned. Or additional options should be added to view/refine the access in the remaining item.

What product feature is this related to?

Access Certifications and UI Design decisions

What are the steps to reproduce the issue?

Have over 10k entitlements in the system (50k+ in the system this was found)
Have a query that return enough users who have over 10k entitlements unique entitlements combined before reaching the last user, as referenced in the next item… (2000 users in this system. )
Have an entitlement added to a singular user whose name starts with Z. (This appears that the users are checked for Entitlements alphabetically, so the later the user is, the more likely it is to get missed. ) No other users should have this entitlement.

Search → Certification Campaign → New Campaign → Identities
All users returned by query. Run your query and then click certify these users
Select Refine Access Items
Verify that the Entitlements Tab has the number 10000 next to it denoting that there are more than the defined return amount (this is documented that only 10k are returned, but the system states to use the filter to narrow down the scope.)
Search for the limited entitlements that you want that include the one that you added to the user whose name starts with Z.
Take note that the Entitlement is NOT in the entitlements you can select from to add.
Take note that there is no way to access the additional entitlements to add to the search.

Do you have any other information about your environment that may help?

The issue appears to be when users returned from a search query have more than 10k entitlements combined returned, and a user lower in the alphabet has an entitlement that has not been found on a user after the first 10k are found. This shows the general issue with this (and likely all Refine sections) is that there is no way to view or select any of the items beyond the first 10k, thus not allowing you to configure a valid certification.

Topic		Replies	Views
Certification of Entitlements that are part of a Role ISC Discussion and Questions identity-security-cloud	5	702	July 19, 2023
Segregation of Duty search breaks on invalid input Bugs identity-security-cloud , search	0	215	October 3, 2023
Entitlement Owner missing in Campaign Access Items ISC Discussion and Questions apis , identity-security-cloud , certifications	5	418	July 29, 2023
Campaign Filters OR Search filter - Need help ISC Discussion and Questions identity-security-cloud	6	305	October 29, 2023
Campaign for entitlement assignments without role/access profiles ISC Discussion and Questions roles , search , access-profiles , entitlements	1	463	July 19, 2023