We have a requirement related to certifications: when a reviewer takes the action of revoke ,after sign-off the access should not be removed on the target system for directly connected sources.
Is there a way to achieve this in ISC? I am considering using a before provisioning rule. If anyone has ideas on how to write before provisioing rule for this requirement, or if there are alternative approaches that could help, I would greatly appreciate your guidance.
I don’t think this possible with BPR . BPR does not contain information of how the revoke was initiated.
Can you elaborate the use case ? Why are we trying to bypass standard functionality of certification ?
They were planning to implement the service desk integration in the future, so for now they want to revoke the access manually, so they don’t want the revoke decision to remove it automatically through certification
Unfortunately, Access Reviews doesn’t have a control to disable automatic revocations.
If you add source to SDIM, automatically tickets will be created for all provisioning activities including Access Requests and Access Reviews
Feature String: You can remove Provisioning from feature string for your source, but you will not have automatic provisioning at all, I mean Access Requests will be impacted
Before Provisioning Rule: In Provisioning Plan, Attributes should contain the interface which holds the source of request like LCM or Access Reviews. I have not used that yet in ISC, but you can check that. I did this kind of requirement in IIQ. Check the source, if it is Certification then change the plan, so you can remove the attribute requests from Plan, so that there will be no revocation. But this is misleading rite, audit shows revocation, but actually revocation didn’t happen, I consider this as a dirty work.
I would suggest you to look at Service Standard Before Provisioning Rule as well, see if anything useful
I would agree with @KRM7 as far as your options go. As others mentioned, there is not a way to turn off provisioning for only Revoke Access for certifications. If you feel there should be, you could create an Idea in the ideas.sailpoint.com portal for it, but you’ll likely have the SDIM in place before it gets the votes needed and through engineering and testing.
You can achieve this using a BPR. Add a condition to check whether the provisioning was initiated through a certification by using plan.getSource() == "Certification" and then verify whether the operation is a revoke.
I’ve implemented this similar approach before, and it worked well for me.