Certification Campaign - Filter out birthright users for Role Review

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hello,

We have a role that is both Requestable as well as Birthright (defined Assignment Criteria)

Is there a way to create a Certification Campaign to only include the users that requested this role, and to not include users who have this role through Assignment Criteria?

The reason is that I dont want reviewer to have to click Acknowledge for all birthright users.

Thanks

1 Like
2

If I do an identity search, I can see the difference is Birthright users have "revocable": false for the access (role), and requested users have "revocable": true

        "access": [
            {
                "id": "63dbxxxxxxxxxxxxxxxxxxxc70ca7",
                "name": "Role A",
                "displayName": "Role A",
                "type": "ROLE",
                "description": "Birthright AND Requestable Role for xxxxxx Team members.",
                "owner": {
                    "id": "2c9180xxxxxxxxxxxxxxxxxxc1861",
                    "name": "Role Owner",
                    "displayName": "ISC RoleOwner"
                },
                "disabled": false,
                "revocable": false
            },

But I cant see how to include this in Campaign criteria, or in campaign filter.

3

Hi @jrossicare

During a certification, a reviewer cannot take any action on roles that are assigned to users through birthright.
Reviewers can take action (accept/reject) only for users whose roles were assigned through an access request.

Regarding your question, you can try using this filter:

@access(type:'ROLE' AND revocable:true)
4

@jrossicare you can try using TAGS which can be updated based on if the role is having assignment criteria.

further you can use this tag in search.

Thanks

Shantanu

5

Hi Ousmane,

Thanks for your reply. It has helped me find a solution.

I need to create an IDENTITY campaign, not an Access Items campaign (which I was trying before)

Then I can use your query @access(type:ROLE AND revocable:true AND name:*role_xyz*)

Click ‘Certify these identities’

Then I need to refine Access Items and select only the roles that match my role name (in this case: name:*role_xyz*

Click ‘Add to Campaign’ then Continue etc…

It is a pity the identity query doesnt also apply to the access items, that you have to specifically select them. But at least it works.

EDIT: If you create campaign via API, you can use accessConstraintsto specify only the roles you want to include. You need to explicitly put the Role ID’s, and not a query/regex/filter.

Thanks.

2 Likes
How to Certify Access Granted via Access Requests (Not Roles) in SailPoint ISC