If you have identities with multiple accounts per application, and are using Roles in identityIQ, you must design your role structure such that each entitlement inside the role is separated into it's own profile.
Let's examine the following scenario:
1 - (IIQ Identity) John Doe (account 1 on Active Directory) jdoe (entitlement) DBA (account 2 on Active Directory) jdoe2 (entitlement) ADMIN
2 - (IT role) Super User (profile) must have DBA and ADMIN entitlements on same app
3 - If I run an identity refresh the role is NOT detected.
4 - I then break up the role profile into two separate profiles like so:
5 - (IT role) Super User (profile) must have DBA on app (profile) must have ADMIN on app
6 - Now run an identity refresh and the role IS detected.
Note:
Create a certification and revoke the role from the identity.
(pre 5.2) Only one entitlement is revoked. (ETN 8048, fixed in 5.2) (5.2) Both entitlements are revoked.
@darylclaude_medina In the example above, what if the IT role was built as follows:
(IT Role) Super User (profile) must have DBA on AD (profile) must have ADMIN on app_Apple
1 - (IIQ Identity) John Doe (account on AD) jdoe = (entitlement) DBA (account 1 on app_Apple) jdoe (entitlement) Analyst (account 2 on app_Apple) jdoe2 (entitlement) ADMIN
In this case, the user gets the IT Role. Is there a way where we can only detect the IT Role if the user has both the matching entitlements in the role AND the application accounts are matching also (i.e. jdoe) ???
Since I was not the original author of this article, I cannot provide any specific advice regarding your use case. However, I highly recommend that you file a support ticket so that a SailPoint representative can thoroughly troubleshoot the issue that you are experiencing.
