In SailPoint IdentityIQ, we’ve implemented a use case where the application name, entitlement, and identity are collected through a form. These selected values are then sent to the manager for approval along with a justification, and upon approval, the provisioning request is executed to the target system.
Is it possible to implement this same workflow and forms in SailPoint Identity Security Cloud (ISC) using its available features (e.g., IdentityNow forms, workflows, or access requests)?
Manager should get form with selected access profile and justification.
Any guidance or best practices on how to achieve this in ISC would be greatly appreciated!
This can be implemented in SailPoint ISC using a custom workflow with the following approach:
Use a launcher with an interactive trigger to start the workflow and present a form to the submitter to collect application, entitlement, and justification details.
After submission, display a separate form to the manager for approval using another step.
Based on the manager’s response:
If approved, proceed to submit the access request via an HTTP request.
If denied, end the workflow.
Provisioning occurs once the access request is processed.
Optionally, use the Send Email action to notify the user or relevant teams of the outcome.
To add on @nbhansali
If you are eventually going to do it on ENTITLEMENT level, set the Global Approval WF for Entitlements to go to the Manager and you can simplify your steps by eliminating the need for one more FORM for a Manager.
Rest all steps can stay constant.
Or even a simpler way:
In the first form itself where you are seeking details from Manager there itself set the value approved or not and based on that in WF evaluate that value and only if YES you trigger the access request via API else WF terminates and sends email that Manager denied. Here you will save yourself from setting any approval WF’s for entitlements and if you need any entitlement specific than ISC will respect that.