Sequencing of Entitlements During Provisioning

Hi all. We have a use case on the EPIC connector where for example, we have the following entitlements:

  1. VIP 1
  2. VIP 2
  3. VIP 3
  4. Non VIP

We want to always apply the entitlement VIP 1 first then follow by VIP 2, VIP 3, Non VIP sequentially. Or if let’s say the person do not have VIP 2, then it will not apply VIP 2, but still need to follow the sequence.

Appreciate any input on this matter. Thank you.

We’ve done something similar for a client and we used roles to control the sequencing. Basically Roles 2+ contain a condition noting requirement of some account attribute value to proceed with the provisioning.

Very rare that entitlement assignment order matters though and wondering if you could describe the specifics of WHY the order matters?

Curious to know what kind of entitlements on EPIC require this kind of sequence/ordering?

Hi Ed and Sunny,

Giving example,

User A has entitlement VIP 1, VIP 2 and Non VIP.
If Non VIP entitlement is applied first, it will overwrite the VIP 1 and VIP 2 entitlement and in the end having Non VIP entitlement only.

Very interested if this is possible, as I have a similar need. This situation is that manual provisioning in required and to be assigned through a ServiceNow request, but that cannot occur until the Epic SER has the Blueprint, Template, etc. (which are entitled resources) have been applied. The current idea is to have an additional Access Profile associated to the Role, which results in a ServiceNow request (as a type of entitlement). So, if Entitlements can’t be sequenced, can Access Profiles?

It would be optimal if the ServiceNow request is not created before confirmation of application of the other entitled resources.

These scenarios sound like a “Depends on” or “Prerequisite” type scenario. We’ve done something similar (not elegant) using Roles with criteria built on account attributes and/or entitlements.

The concept is:

  • User gets Entitlement A which creates an account (if needed) and assigns the entitlement.
  • Role A Criteria says “If Entitlement A AND ” then assign this role

More roles can be added as needed to step through the multiple successive additions but it’s a lot of overhead for something that I’ve seen other vendors handle in much easier ways.

Hi all, we refer to the following discussion to resolve this issue by using a Before Provisioning Rule and it is working. We have the identity attribute to determine the correct sequence and thus we added the sequencing config in the BP rule.

Thanks all for the assistance.

Assign EPIC entitlements in an order - IdentityNow (IDN) / IDN Discussion and Questions - SailPoint Developer Community Forum

Hi @sjoyee how does the BP rule do the sequencing? can you please share the BP rule?

Hi Jason, since we have the identity attribute with the correct sequence, this is the current configuration we have in BP rule which is working, by replacing the account attribute (entitlement) value with the identity attribute value.

If you need to reorder the sequence, I believe you can loop the attribute request value (String or List) you retrieve, order it, and replace the old attribute request.

// get identity attribute
String flagIdAttribute = identity.getAttribute("flagIdAttribute");
  
// remove original attribute request
AttributeRequest roleAttrReq = accountRequest.getAttributeRequest("Account Attribute Name");
if(roleAttrReq != null && roleAttrReq.getValue() != null) {
    accountRequest.remove(roleAttrReq);
}

// add trimmed and splitted list of Auth source identity attribute
accountRequest.add(new AttributeRequest(
    "Account Attribute Name", 
    ProvisioningPlan.Operation.Set,
    Arrays.asList(flagIdAttribute.replaceAll(" ", "").split(",")))
);

Hope this helps!

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.