Register Sign in Need help? FAQ SailPoint directory
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Roles and multiple accounts per application

Roles and multiple accounts per application

If you have identities with multiple accounts per application, and are using Roles in identityIQ, you must design your role structure such that each entitlement inside the role is separated into it's own profile.

Let's examine the following scenario:

1 - (IIQ Identity) John Doe
        (account 1 on Active Directory) jdoe
            (entitlement) DBA
        (account 2 on Active Directory) jdoe2
            (entitlement) ADMIN

2 - (IT role) Super User
        (profile) must have DBA and ADMIN entitlements on same app

 

3 - If I run an identity refresh the role is NOT detected.

 

4 - I then break up the role profile into two separate profiles like so:

 

5 - (IT role) Super User
        (profile) must have DBA on app
        (profile) must have ADMIN on app

 

6 - Now run an identity refresh and the role IS detected.


Note:

Create a certification and revoke the role from the identity.

(pre 5.2) Only one entitlement is revoked. (ETN 8048, fixed in 5.2)
(5.2) Both entitlements are revoked.

Labels (6)
Comments
anustup_paul
‎Jun 26, 2015 11:57 AM
‎Jun 26, 2015 11:57 AM

So in this case we have no involvement of the Business Roles?

dean_ia
‎Sep 28, 2022 12:00 AM
‎Sep 28, 2022 12:00 AM

@darylclaude_medina  In the example above, what if the IT role was built as follows:

(IT Role) Super User
        (profile) must have DBA on AD
        (profile) must have ADMIN on app_Apple

1 - (IIQ Identity) John Doe
        (account on AD) jdoe = (entitlement) DBA 
        (account 1 on app_Apple) jdoe
            (entitlement) Analyst
        (account 2 on app_Apple) jdoe2
            (entitlement) ADMIN

In this case, the user gets the IT Role. Is there a way where we can only detect the IT Role if the user has both the matching entitlements in the role AND the application accounts are matching also (i.e. jdoe) ???

 

darylclaude_medina
‎Oct 05, 2022 05:23 PM
‎Oct 05, 2022 05:23 PM

Hello @dean_ia,

Since I was not the original author of this article, I cannot provide any specific advice regarding your use case. However, I highly recommend that you file a Customer Support request so that a SailPoint representative can start a thorough analysis of your situation.

Version history
Revision #:
4 of 4
Last update:
‎Aug 11, 2023 08:34 PM
Updated by:
Community Administrator
 
View Article History
Contributors