I am configuring a workflow to meet customer requirements. Users may hold a large number of entitlements, and the workflow loop has a known limit of 100 iterations.
The workflow needs to be configured under the following conditions:
Given:
Daily aggregation of HR source (5:00 AM KST)
When:
There are change events to the HR department, job, duty, or position (Mover)
The lifecycle state changes to terminated (Leaver)
Then:
Auto-mapped Roles based on criteria
Roles and Access Profiles (AP) which approved via access request
Remove all OOTB entitlements from target systems, except for the above Roles and AP
I referred to the following documents to implement these requirements, but due to my limited understanding, I could not configure an effective workflow:
I believe I can use the Identity Attribute Change trigger. Using this change event, I would query a search HTTP request with $.trigger.identity.id as the condition.
Then, I would retrieve all Entitlements, Access Profiles, and Roles of User from the returned information.
However, I am unsure how to remove OOTB entitlements exceeding 100.
Should I set up a recursive workflow? Should I create a micro-certification campaign?
I welcome any suggestions for an effective workflow configuration scenario.
In my opinion, you can make use of the recertification campaign for the OOTB entitlements. So Try creating different workflows, first will remove the normal access which was done via access request and then check for the OOTB entitlements if they exist with the user profile, then make the call to another workflow (external trigger based workflow) to remove them. I believe you can even pass the information about OOTB entitlements to the child workflow and then the child workflow should create a certification campaign in such a way that it gets completed in like 5 minutes from creation date and remove the access automatically.
I hope this helps, please let us know if you have any queries.
The challenge will be in trying to find out which out-of-birthright-access has been granted via approved access requests. I am not aware of any effective or easy way - within workflows at least - to find out whether certain access was provided through access requests.
Hence, the best approach might be to simply use workflows to generate a Mover certification campaign and assign it to the new manager to decide. Other SailPoint ISC components, such as the AI recommendations engine, should highlight any out-of-normal access items the mover has to the reviewer so they can make better decisions.