Share all details about your problem, including any error messages you may have received.
Hello,
Our env has a lot of shared servers hosting SQL databases. When these databases aggregate, they create a user account for people who have permissions on another database hosted by the server, and assigns them the CONNECT SQL grant. The result is when we launch a campaign to certify these databases, there is a lot of noise and accidental revocations that take place because, to the reviewer, it looks like the user has access to a database they shouldn’t.
Is there a way to exclude these accounts with only CONNECT SQL from the campaign using a population or other means? Or, better yet, prevent the aggregation from picking them up?
Please check if you can leverage certification exclusion rule to control what is included in the certification campaign.
Also, as you mentioned, if there is way to differentiate such user accounts then you can try using aggregation - customization rule to control what is aggregated in SailPoint. (e.g., return the resourceObject if the criteria condition satisfies otherwise return null)
After reviewing your requirement, you might be doing an account certification.
In account certification, you can filter the user based on " Use filters or rules to find the Identities you would like to include in this certification."
We’ve experimented with this in the past, but ran into an issue where direct permissions on SQL databases are being identified as directPermissions. For some reason these are aggregated, can be brought into certifications and will show the unique entitlement (such as GRANT CONNECT SQL), and we can revoke them. However, we are unable to pull them out in any reporting or build rules/populations around them. When we try to build populations for them, the analytics or entitlement catalog will only return values for objects that fall under the ROLES attribute. (screenshot attached)
We tried building rules for them as well. We could exclude all permission type attributes, but with the missing values we were unable to exclude specific permissions. Do you have any advice on getting the values for these permissions?
