Hi Team,
Number of Stake holders were happy with RBAC but now as its audit time they are asking for any possibility that how can we have a revocation through workflows or triggers that should not re-provision access back to user without disabling Birthright and so licenses should not cost them ?
Osman , certifications decisions have priority on automatic assignment. that means that if a BR or any Roles is revoked in a Certification, even if the users falls under the criteria it will not be provision. At least in IIQ.
For ISC you should test, but that is you best chance to achieve the requirement.
@osmanmohammed at present birthright roles can only be acknowledged as it wont let you remove them unless the criteria is matching .you can try modifying the criteria which fits your audit requirement .or use request based roles which you can remove
As long as the users match the Role criteria, the access will be granted back however you remove them.
If there are only a handful of users you are looking to exclude, you can directly exclude them from the rule by passing their employee ID values in the Rule membership criteria with a condition as below:
Or if you can get a specific attribute from the application or the auth source that could identify such users that needs to be excluded, you can make use of that in the membership criteria
If you are revoking access (granted from a role) of users satisfying the role membership criteria, IDN will re-provision the access during the next aggregation or refresh.
So, the only way is to exclude them from the role criteria.
You cannot revoke the access from the identities which are satisfying the role via membership criteria. The only way is to change the membership criteria based on your audit requirement or update these 3000+ users outside of IDN which doesn’t make them satisfy the existing membership criteria so that entitlement revocation will be triggered.
@osmanmohammed , On first place Birthright roles should not be removed as long as the users is ACTIVE within in the organization. These roles should be assigned once joined the organization and needs to be removed once left the organization.
if you have requirement then you have consider Role membership rule update else on next aggregation it will provision accounts
I have gone through your question and understand client’s ask but if a role criteria is met IDN will provision the relevant access profile and or entitlement.
If you do setup a certification you can only acknowledge the access again since the user is still qualifying for that role.
You have modify the criteria to exclude the said 3k members from its assignment and there is no Role membership rule support anymore.
Can confirm based on the extensibility document here.
And the official documentation when managing access under the admin guide here.
Would really like to highlight the following quote within the admin guide below:
Additionally, when a user no longer meets the criteria, IdentityNow deprovisions the role and its associated access profiles. This can occur because the assignment criteria or the identity data changed.