performing-entitlement-review-with-sailpoint-iiq

What this skill does

# Performing Entitlement Review with SailPoint IdentityIQ

## When to Use

- Quarterly or annual access certification campaigns are required for compliance (SOX, HIPAA, PCI-DSS)
- Organization needs automated manager-based access reviews for all direct reports
- Targeted entitlement reviews are needed for sensitive applications or high-privilege roles
- Separation of Duties (SOD) violations must be identified and remediated
- Orphaned accounts and excessive entitlements need to be discovered and cleaned up
- Audit findings require evidence of periodic access review and remediation tracking

**Do not use** for real-time access control decisions; IdentityIQ certifications are periodic review processes designed for governance and compliance validation.

## Prerequisites

- SailPoint IdentityIQ 8.2+ deployed with database backend (Oracle, MySQL, or SQL Server)
- Application connectors configured for all in-scope systems (Active Directory, LDAP, databases, SaaS applications)
- Identity cubes aggregated with current entitlement data from all connected sources
- Email server configured for certification notifications
- Manager hierarchy defined in the identity model
- Business roles and entitlement glossary populated for reviewer context

## Workflow

### Step 1: Define Certification Campaign Strategy

Plan the certification scope and reviewer assignments:

```java
// SailPoint IdentityIQ BeanShell - Campaign Configuration
import sailpoint.object.*;
import sailpoint.api.*;
import java.util.*;

// Define campaign schedule for quarterly manager certifications
CertificationSchedule schedule = new CertificationSchedule();
schedule.setName("Q1-2026-Manager-Access-Review");
schedule.setDescription("Quarterly manager certification for all active employees");
schedule.setType(Certification.Type.Manager);

// Configure campaign scope
CertificationDefinition certDef = new CertificationDefinition();
certDef.setName("Q1 Manager Certification");
certDef.setOwner(context.getObjectByName(Identity.class, "cert-admin"));

// Set certification options
certDef.setCertifierSelectionType(CertificationDefinition.CertifierSelectionType.Manager);
certDef.setIncludeEntitlements(true);
certDef.setIncludeRoles(true);
certDef.setIncludeAccounts(true);
certDef.setIncludeAdditionalEntitlements(true);

// Exclude service accounts from manager reviews
Filter exclusionFilter = Filter.ne("type", "service");
certDef.setExclusionFilter(exclusionFilter);

// Configure notification settings
certDef.setNotificationEnabled(true);
certDef.setReminderFrequency(7); // days
certDef.setEscalationEnabled(true);
certDef.setEscalationDays(14);
certDef.setEscalationRecipient("security-governance-team");

// Set active period
certDef.setActivePeriodDays(30);
certDef.setAutoCloseEnabled(true);
certDef.setDefaultRevoke(true); // Revoke if not reviewed

context.saveObject(certDef);
context.commitTransaction();
```

### Step 2: Configure Targeted Entitlement Certification

Set up focused reviews for high-risk applications and privileged entitlements:

```java
// Targeted certification for privileged access review
import sailpoint.object.*;
import sailpoint.api.*;

CertificationDefinition targetedCert = new CertificationDefinition();
targetedCert.setName("Privileged Access Targeted Review");
targetedCert.setType(Certification.Type.ApplicationOwner);

// Scope to specific high-risk applications
List applicationNames = new ArrayList();
applicationNames.add("Active Directory");
applicationNames.add("AWS IAM");
applicationNames.add("Oracle EBS");
applicationNames.add("SAP GRC");
applicationNames.add("CyberArk Vault");
targetedCert.setApplicationNames(applicationNames);

// Filter for privileged entitlements only
String entitlementFilter = "entitlement.classification == \"Privileged\" " +
    "|| entitlement.riskScore > 800 " +
    "|| entitlement.name.contains(\"Admin\") " +
    "|| entitlement.name.contains(\"Root\") " +
    "|| entitlement.name.contains(\"DBA\")";
targetedCert.setEntitlementFilter(entitlementFilter);

// Assign application owners as certifiers
targetedCert.setCertifierSelectionType(
    CertificationDefinition.CertifierSelectionType.ApplicationOwner
);

// Configure approval workflow
targetedCert.setApprovalRequired(true);
targetedCert.setSignOffRequired(true);
targetedCert.setReasonRequired(true);

// Enable SOD policy check during certification
targetedCert.setCheckSodPolicies(true);
targetedCert.setSodPolicyAction(CertificationDefinition.SodPolicyAction.Flag);

context.saveObject(targetedCert);
context.commitTransaction();
```

### Step 3: Implement SOD Policy Checks Within Certifications

Define Separation of Duties policies that flag violations during reviews:

```java
// Create SOD policy for financial system access conflicts
import sailpoint.object.*;
import sailpoint.object.Policy;

Policy sodPolicy = new Policy();
sodPolicy.setName("Financial SOD - AP/AR Conflict");
sodPolicy.setType(Policy.TYPE_SOD);
sodPolicy.setDescription("Prevents users from having both Accounts Payable " +
    "and Accounts Receivable access simultaneously");
sodPolicy.setViolationOwner(
    context.getObjectByName(Identity.class, "compliance-team")
);

// Define conflicting entitlements
SODConstraint constraint = new SODConstraint();
constraint.setName("AP-AR Separation");

// Left side: Accounts Payable entitlements
PolicyConstraint leftSide = new PolicyConstraint();
leftSide.setApplication("SAP ERP");
leftSide.addEntitlement("SAP_AP_PROCESSOR");
leftSide.addEntitlement("SAP_AP_APPROVER");
leftSide.addEntitlement("SAP_AP_ADMIN");
constraint.setLeftConstraint(leftSide);

// Right side: Accounts Receivable entitlements
PolicyConstraint rightSide = new PolicyConstraint();
rightSide.setApplication("SAP ERP");
rightSide.addEntitlement("SAP_AR_PROCESSOR");
rightSide.addEntitlement("SAP_AR_APPROVER");
rightSide.addEntitlement("SAP_AR_ADMIN");
constraint.setRightConstraint(rightSide);

// Set violation severity and remediation
constraint.setViolationSeverity("High");
constraint.setCompensatingControl("Dual approval required for transactions > $10,000");

sodPolicy.addConstraint(constraint);
context.saveObject(sodPolicy);
context.commitTransaction();
```

### Step 4: Configure Revocation and Remediation Workflows

Automate access removal when certifiers revoke entitlements:

```java
// Configure automatic provisioning for revoked entitlements
import sailpoint.object.*;
import sailpoint.api.*;

// Create remediation workflow
Workflow remediationWorkflow = new Workflow();
remediationWorkflow.setName("Certification Revocation Workflow");
remediationWorkflow.setType(Workflow.Type.CertificationRemediation);

// Step 1: Create provisioning plan for revocation
Step createPlan = new Step();
createPlan.setName("Create Revocation Plan");
createPlan.setScript(
    "import sailpoint.object.ProvisioningPlan;\n" +
    "import sailpoint.object.ProvisioningPlan.AccountRequest;\n" +
    "import sailpoint.object.ProvisioningPlan.AttributeRequest;\n\n" +
    "ProvisioningPlan plan = new ProvisioningPlan();\n" +
    "plan.setIdentity(identity);\n" +
    "AccountRequest acctReq = new AccountRequest();\n" +
    "acctReq.setApplication(applicationName);\n" +
    "acctReq.setOperation(AccountRequest.Operation.Modify);\n" +
    "AttributeRequest attrReq = new AttributeRequest();\n" +
    "attrReq.setName(entitlementAttribute);\n" +
    "attrReq.setValue(entitlementValue);\n" +
    "attrReq.setOperation(ProvisioningPlan.Operation.Remove);\n" +
    "acctReq.add(attrReq);\n" +
    "plan.add(acctReq);\n" +
    "return plan;"
);

// Step 2: Execute provisioning with retry logic
Step executeProvisioning = new Step();
executeProvisioning.setName("Execute Revocation");
executeProvisioning.setScript(
    "import sailpoint.api.Provisioner;\n" +
    "Provisioner provisioner = new Provisioner(context);\n" +
    "provisioner.setNoTriggers(false);\n" +
    "ProvisioningResult result = provisioner.execute(plan);\n" +
    "if (result.isCommitted()) {\n" +