Can there be a threshold check while assignment or removal of role?
Basically if lets say there are more than 100 roles are getting removed then threshold check should stop removing the accesses?
Hello Amrit,
For criteria roles as far i know there is nothing that you can do.
But lets say you are revoking roles via workflow it is possible to control how many roles you will revoke.
Att.
I think you are talking this assignment as part of daily refresh ? if yes i donât think if any option available . I would suggest to check this with sailpoint support .
âCan there beââŚyes. Somewhat of a custom job.
For the roles that you want to âprotectâ with a threshold, specify a dummy approver.
With a periodic workflow / script, get a list of approved access requests with this particular role assigned in the last, say, 24 hours. If the count is greater than 100, deny the approval request. If the count is less than 100, approve the pending approval request. (Handle the pending approval request in a sorted order)
e.g. Get-V2024AccessRequestStatus with filtering and pipelining, Get-V2024PendingApprovals
Additionally, you can leverage metadata attributes to specify per-role threshold. The powershell script just need to get this metadata attributeâs value of the role instead of having hard-coded 100.
I think managing it outside SailPoint will be little easy as compare to doing it via workflows.
Yeah, itâs far more liberating once you get outside of the confines of ISC. ISC itself is functionally rather rudimentary with its OOTB IGA use cases coverage. A lot of additional business logic has to be bolted on here and there.
Like you canât even have ânewâ custom email templates at the tenant levelâŚyou need to going to a step-level in workflow to define the email. Thereâs no OOTB access removal workflow (itâs community-built), no account deletion, no identity deletion, no per entitlement deletion OOTB. It doesnât handle multi-account per source per identity very well either.
Also, with all the transforms built in JSON, just give us a graphical editor already. (e.g. below or similar to the workflow builder) Better yet, give us the AI and LLM to build transforms.
Totally agree. If I remember right, threshold support came late in IIQ too. Hopefully, thereâs already something like that in the worksâor at least an idea submitted around for it.
TrueâŚbut that should be a lesson learnt from back then, and now it should come under âI know better nowâ kind of feature / functionality / configurationâŚand IDN / ISC is not exactly young anymore.