Hi all,
We have a source where most people use SSO to log into their accounts, their source native password usage is disabled. A password reset from ISC would make it possible to use the password again. Therefore most identities should not be able to perform password reset on that source, but some should still be able to reset their passwords (other identity types for example).
Right now the only way for end users to perform password reset on their source is if we create an application object in ISC specifically for this. On that application we can then make sure it is not visible in the request center since we don’t request access profiles through application objects. Then we can chose who can reset their password through the options:
- All users from source
- Specific users from source
Well the second option applies to us. But how can we determine which specific users they are? We can only do this by assigning an access profile to this application object. Those with the access profile will then be able to perform password reset.
But it is not possible to create an access profile, assign it to the role in ISC of those who should be able to perform password reset and then be finished. The access profile requires at least one entitlement to be added for this, otherwise the access profile will be disabled by default. So the only way to ensure that these people can perform password reset is by also giving them access to a (random?) entitlement in the source, which looks like an odd security decision to me.
As a workaround for this gap in SailPoint, we can try to add a dummy entitlement in the source (only if possible, not all sources support this) and add this to the access profile, and ask the application to not assign this dummy entitlement to other users, because otherwise we get a detected access profile.
In my opinion it would make more sense if a concept within ISC is used to determine who can perform password resets. AKA, through a role, through segmentation, through governance group membership perhaps, but at least in such a way that we are not dependent on the target application.
Kind regards,
Angelo