I don’t have a demo system set up currently to test this, so I figured I would ask the collective mind: What happens when you disable a Role that is part of an Active Certification? Will it have negative effects on the certification?
As far as I know, there shouldn’t be any negative impact since the certifications are point-in-time.
Hi @gmilunich ,
The role will be still present in the certification as the certification is in active stage.
I understand that it is point in time (thank you for confirming that) but I was wondering what would happen when a Certifier Approves/Revokes the role for the user, since once they sign off, the action (revoke) would take place and that Role would no longer be there.
Does the system check and see the Role is no longer on the user and marks it complete?
Disabling or deleting a role has these implications:
- Removes the role from the Request Center
- Prevents future automated assignment of the role
- Removes the role from your identities
- Does not deprovision the role’s access for identities which previously held it. Identities will keep entitlements they were granted through this role, but they will no longer be associated with the role.
Certifications are a point-in-time action. If a cert is created and the role is disable during the campaign, then the cert will still show the role. However, approving or revoking the role won’t do anything and the verification step will be closed at the next aggregation/refresh for that identity.
One thing to note is that disabling/deleting a role will not remove entitlements granted to the identities through that role. However, if the decision is to “revoke” the role in the cert campaign, then that will ensure the entitlements that were granted by the now disabled role are also removed.
2 Likes
Would revoking the role still remove the entitlements/access profiles it had at the start of the Certification? I guess that is the main questions.
Use Case
So the Certification created at a Point in time: Monday
At that time, User 1 has Role A, which has Entitlement Z and Access Profile AP1.
Role A is deleted on Wednesday. According to the above documentation, the user now has Entitlement Z along with Access Profile AP1 as individual items, since they were not deleted with Role A.
Friday, User 1’s manager revokes Role A in the certification and signs off on the certification so the Revoke will be done.
At this point, what happens?
- Does the system remove Role A, along with Entitlement Z and Access Profile AP1 since they were part of Role A at the Point in Time the Certification was created?
OR
- Does the system just remove Role A from the user, but leaves Entitlement Z and Access Profile AP1 on the user?
If it is #2, then that could be considered an issue since the Reviewer would believe that revoking the role should remove the access that it contained at the point in time the certification was started.
I just added that bit at the end of my post. My sources tell me that revoking the role during a campaign will result in the entitlements also being removed.
1 Like
Thanks for the follow up. That addresses my concern.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.