Assign Access Profile to a user

Identity Security Cloud (ISC) ISC Discussion and Questions
1

If an access profile has an approval process, can we bypass it directly via access request API? I got 202 accepted but it’s not getting assigned as approval process defined.

image
image641×771 32.8 KB

2

I believe that you could take that Access Request ID and get the Approval ID from here:

Then use the ApprovalID with the Approve Access Request API found here:

This should allow you to approve it, but I would be careful that you understand how this may bypass the business processes and may have concerns from Auditors if you are circumventing the approval process.

1 Like
3

well, let me put it another way, we don’t want approvers to be notified about the request being in their queue. This is part of retaining access during employee to non employee conversion. Since the requests were already approved, we just need to import the access profiles to the new identity bypassing the approvals.

4

Here are a few thoughts on how to handle this more cleanly:

  • Instead of assigning the access profile directly, include it within a role and have users request the role. This allows approvals to be managed at the role level.
  • When approvals need to be bypassed (e.g. during a job transfer or identity type change), use a workflow to assign the access profile directly.
  • If the access was already approved previously, consider not removing it during the transition. This avoids unnecessary re-requests and approvals.
2 Likes
5

We prefer not to use roles from a maintenance perspective. Since it’s only for a few users, wanted to import the access profiles to a new identity similar to how batch requests work in IdentityIQ…can we set a flag to bypass approval as part of access requests API?

6

I don’t believe that is possible as it goes against the configuration if approvals are required.

How are you doing the conversion from Employee to non-employee? Could you look at that and see if there is a way to maintain the granted access through the conversion, rather than trying to re-add it without approvals?

7

Have you seen this post and tried it out? Looks/sounds something similar - Generic Workflow to Auto-Approve/Reject an access request

1 Like