Assign Roles Manually in SailPoint

Like most people doing SailPoint implementations, I keep a sandbox environment with SailPoint for my own testing and development. I often want to assign or remove a role from a user to test a provisioning policy or integration config. Back in the days of IIQ 5.5, I could do this by directly assigning role in the identity cube itself. Since moving to 6.0 and beyond, that functionality has been replaced with the LCM access request functionality.

Overall, I really enjoy the access request functionality. It provides a full-featured request interface that is a step above most other IAM/IAG products I’ve worked on. It’s great for both end-user access requests and delegated administration. However, once I’ve developed complex access request workflows with approvals, it adds time to my testing when I’m not working directly on the workflow. One option is to keep a copy of the request workflow that doesn’t have any approvals and keep changing out the workflows. Another option I use is to enable the older-style manual assignment of roles. This feature can be enabled by adding the following tag into the System Configuration object.

<entrykey="enableAdminRoleChanges" value="true"/>

This will enable the “Add Role” button in the Entitlements tab. The setting reverts the UI to the Assigned and Detected look of IIQ 5.5. While this isn’t ideal for a production deployment since the IIQ 6.0 Roles interface is far superior, it seems to be a good workaround for my testing needs.