SailPoint Certification Exclusion Rules

One of the goals of a certification is to provide certifiers with a succinct list of items to be reviewed. Default values, low-risk entitlements, and distribution groups can commonly be removed from a certification.   It is also common to have application entitlements reviewed by one user and other entitlements by a separate user.

To remove various items from a SailPoint Certification, an Exclusion Rule is employed.  The Exclusion Rule iterates over the items in a certification and removes items based on logic built within the rule.  The matching items are removed from the “active list” and added to a list of items to be excluded (these items can be saved for future analysis).

The example below illustrates one methodology for excluding items from a SailPoint Certification:

One note about Exclusion Rules – Saving the exclusions after certification generation is an option but can have detrimental affects on performance.  Storing thousands of “saved exclusions” can impede a certification since the background generated XML is larger than one without saved exclusions.

Example: Remove items based on attribute name & value.

For a certification, every user is provisioned with the role “PeopleSoft:Birthright” and the entitlement of “invoiceamt=0.”  Since those values are given to every user, they can be considered an acceptable exclusion

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Leave a Reply

Your email address will not be published. Required fields are marked *