Hi folks, regarding SoD policy. Let’s consider I have a policy configured:
Access List A: Entitlement 1
Access List B: Entitlement 2
A user already holds Entitlement 1, which was requested from the ISC UI and provisioned successfully to the target system. Now, if I add the conflicting access Entitlement 2 directly in the target system, after aggregation will it notify the violation? Or how does SoD behave in this scenario?
Also, does subscription play any role here? Thanks.
If you add the second Entitlement 2 after aggregation SailPoint will not show a violation in the account. You should not be adding any access outside SailPoint when you want to validate SoDs.
Next if you do a subscription to a SoD policy then the email would have the information where that SoD is violated.
Please Correct me if am wrong my understanding is If Entitlement-2 is added directly in the target and then you aggregate the account, ISC will, at the next identity refresh/policy evaluation, create an SoD policy violation (provided the policy is active and both entitlements are in the access catalog and correlated to the same identity).
• SoD subscriptions are not required for detection; they only notify you (email) when a violation is created/cleared. Detection happens regardless
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.