Hi, I am facing an issue where I am not able to add an entitlement to an access profile. It looks like this is an issue with our development env tenant and SP team is checking on this. Meanwhile I got this query - Is it possible to run create account http operation without entitlement.
Currently in my web service I am able to aggregate entitlement using Group aggregation, those entitlements appear in web service entitlement tab. When I am trying to add them in access profile, its not working due to some reason.
I am getting only above error message and nothing comes in ccg.log
Could you please suggest how can I test my Create Account http operation.
Do you also see the issue when you try to add the entitlement to a role directly. SailPoint has launched a feature this year where it is possible to directly map the entitlements to the role. If that is working then you can use that functionality and assign the role itself.
I am not able think about any standard solution where you could be able to create accounts without entitlements.
Thinking about it out of the box , then may be we can achieve it by using the workflow in this scenario but it will depend on the multiple factors like what type of authentication is needed and of course the account schema.
The idea is that you can create a empty role and when it is assigned to the user, then workflow will trigger. From the workflow, you can get the identity details for which the access was requested using search. Once you have all the details, then you can probably populate the payload accordingly and thus create the account in the target application by HTTP action.
But still, this is not a standard practice and the question also remains that once you create the account in back-end you will need to run the account aggregation so that ISC can consider it as an account for the web service based source.
Probably other experts might have better suggestions here .
Hi @vguleria Thanks for your response. Yes I am able to add entitlement in role. I will try to test user add in role to check create account operation.
If you are looking to test the create account operation alone without invoking the add entitlement end point, you can make sure the flag “Create Account with Ent request” in additional settings is checked.
With this flag checked, connector only invokes create account endpoint assuming that the roles are added through the same endpoint and doesn’t invoke add entitlement endpoint again.
I hope you have defined one of the schema attribute as entitlement type such that account aggregation pull the entitlements to SailPoint, which can be used for access profile definition for your testing.
This is resolved . For anyone who visit here in future : I have created an “entitlement type” replacing the existing “group” type . While Account Schema Creation , make sure the attribute which refers entitlement is holding the same
entitlement type which you used in group aggregation Operation.
.