Configuring Workflow to Remove all OOTB Entitlements in IdentityNow

Hi Experts,

I am configuring a workflow to meet customer requirements. Users may hold a large number of entitlements, and the workflow loop has a known limit of 100 iterations.

The workflow needs to be configured under the following conditions:

Given:

  • Daily aggregation of HR source (5:00 AM KST)

When:

  1. There are change events to the HR department, job, duty, or position (Mover)
  2. The lifecycle state changes to terminated (Leaver)

Then:

  • Auto-mapped Roles based on criteria
  • Roles and Access Profiles (AP) which approved via access request
  • Remove all OOTB entitlements from target systems, except for the above Roles and AP

I referred to the following documents to implement these requirements, but due to my limited understanding, I could not configure an effective workflow:

Here are my questions:

I believe I can use the Identity Attribute Change trigger. Using this change event, I would query a search HTTP request with $.trigger.identity.id as the condition.
Then, I would retrieve all Entitlements, Access Profiles, and Roles of User from the returned information.
However, I am unsure how to remove OOTB entitlements exceeding 100.
Should I set up a recursive workflow? Should I create a micro-certification campaign?

I welcome any suggestions for an effective workflow configuration scenario.

Regards,

Hi,

For removing OOTB entitlements directly on target source, you can make use of before provisioning rule.

In before provisioning rule get the lifecycle state and if its resigned then you remove all the entitlements.

-Abhinov

1 Like

Hi @Abhinov7 ,

Is there a way to configure a before provisioning rule in the SAP Direct Connector to remove all entitlements not assigned by IDN SaaS?

Regards,

Hi,

Yes we can do using before provisioning rule.

Below are some high level steps you can use.

Object grpList = idn.getRawAccountAttribute(curApp, acctId, "roles");

AttributeRequest removeGroupAttributeRequest = new AttributeRequest();
removeGroupAttributeRequest.setName("roles");
removeGroupAttributeRequest.setValue(grpList);
removeGroupAttributeRequest.setOperation(sailpoint.object.ProvisioningPlan.Operation.Remove);
modifyUser.add(removeGroupAttributeRequest);

-Abhinov

1 Like

Hi Jaewon,

In my opinion, you can make use of the recertification campaign for the OOTB entitlements. So Try creating different workflows, first will remove the normal access which was done via access request and then check for the OOTB entitlements if they exist with the user profile, then make the call to another workflow (external trigger based workflow) to remove them. I believe you can even pass the information about OOTB entitlements to the child workflow and then the child workflow should create a certification campaign in such a way that it gets completed in like 5 minutes from creation date and remove the access automatically.

I hope this helps, please let us know if you have any queries.

Regards
vikas.

1 Like

At a very highlevel, you can use a workflow to remove access outside of birthright auto-mapped roles (as you already referenced here:
Workflow to Remove ALL Leavers’ Standing Access
)

The challenge will be in trying to find out which out-of-birthright-access has been granted via approved access requests. I am not aware of any effective or easy way - within workflows at least - to find out whether certain access was provided through access requests.

Hence, the best approach might be to simply use workflows to generate a Mover certification campaign and assign it to the new manager to decide. Other SailPoint ISC components, such as the AI recommendations engine, should highlight any out-of-normal access items the mover has to the reviewer so they can make better decisions.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.