Problem statement: We have a flat file source e.g ‘Jira Requests’ configured for granting/revoking access to non-direct sources. We have a custom SailPoint/Atlassian-Jira connector rule in place that creates a Jira ticket for an access request.
The issue is, if there’s already a pending ticket (that hasn’t been actioned/closed yet for whatever reason) and the same user creates a second access request, SailPoint doesn’t provision the 2nd access request (doesn’t create a ticket) until the 1st pending ticket is closed (access request is provisioned) i.e when the user source account is created first along with the access. SailPoint retries the 2nd access request for a month time, after that it throws a message saying ‘max number of status checks occurred’ and creates a new/duplicate ticket. So the idea here is that every user should have an account created on the ‘Jira Requests’ source. For a new user or existing users who haven’t yet requested any access, they should have at least their source account created but without any access granted to them, to avoid the issue of delaying the 2nd provisioning request and creating duplicate tickets.
I want to automatically create user source account (flat file) without any access assigned to them, when their Identity account is created.
1st option is to do this via a workflow when an identity account is created. I tested it and works fine. But, for the existing users, those who don’t already have their account created on the source, we have to manually create this by importing accounts list etc.
2nd option is to add the flat file source under Provisioning in the respective identity profile e.g when their lifecycle state is changed to active. The documentation says, for a flat file source, this should assign a task to the source owner so they can create the account manually, but again this would be a manual process. I tested it but it didn’t work as I have not been assigned any task in SailPoint although I am the source owner. Not sure, why?
Do we have any criteria to say this person should have account or everyone in the org should have account? If yes, can’t we do this using criteria-based access assignment.
We can achieve this using service desk integration. So, whenever criteria matches for the user, SailPoint triggers the request, and ticket will be generated (as this a delimited source) for Atlassian team so that they can manually create an account.
This is ‘Atlassian Cloud Jira SDIM’ type integration setup for the service desk integration (Atlassian/Jira system) that creates a Jira ticket for an access request.
We want everyone in the org to have an account setup on the delimited source. It means those who are already granted any access via a Jira ticket, they would already have their account created including the requested access (entitlement). But on the other hand, those who are not yet granted any access via a Jira ticket, the idea is that they should have a blank account created (without any access) to (1) avoid delaying the 2nd access request provisioning issue (wating for the 1st access request to be actioned/closed first and create the account) and (2) avoid the issue of creating duplicate ticket when SailPoint stops retrying provisioning the 2nd access request after 30 days or so.