Share all details about your problem, including any error messages you may have received.
We have added “Remediated” to certificationActions for Advance Policy to enable the “Revoke” button. We would like to implement logic so that when the “Revoke” button is clicked, the system identifies the specific entitlement to revoke and triggers the appropriate provisioning plan.
My question is:
Is it possible to customize the behavior so that when the “Revoke” button is clicked, it can invoke a rule or workflow to perform additional logic before or during the revocation process?
Whenever Revoke button is clicked SailPoint will try to de-provision the access from user, so you can use before provisioning rule to perform additional logic
SailPoint doesnt expose direct workflow being used in certification revoke process. But as suggested above, you can add your additional logic in before/after provisioning rule of the application where you need to perform additional steps before/after revoke.
You need to invoke this additional logic only when the source is “Certification” in the provisioning rule.
Please correct me if I’m mistaken, but my understanding is that the default behavior for “Advanced Policy” is to create a workitem when a user selects “revoke,” since the policy cannot automatically determine what should be provisioned by default. As a result, I am unable to place this logic within the “before provisioning” rule. Also, this logic should be called prior to provisioning in order to determine what needs to be sent for de-provisioning.
The “before provisioning” rule does not work in my context, as my goal is to determine what needs to be de-provisioned and send that information to the provisioning engine before the provisioning process begins. Is there a way in IIQ to trigger a workflow or rule when a user selects “revoke”?
can you elaborate more on your use case? like what the manager/reviewer is revoking in the certification and what exact additional processing you want to do apart from removing the entitlement revoked by reviewer.
Before provisioning rule allows you to change the plan before its executed.
Hi @Trystan
Yes it is possible you will need to create a separate xhtml wrapper to represent your policy violation objects and also write separate workflow to acheive this.
This is huge customization and my recommendation would be to not do this
Managers can configure an Advance Policy that includes rules for violations. When a Policy Violation is detected and displayed on the Policy Violation page, the manager would like to initiate a process by clicking the Revoke button. Ideally, this action would trigger an automated workflow that, based on business logic, determines which entitlement should be revoked and sends a deprovisioning plan accordingly.
Currently, the default behavior allows the manager to click Revoke, but this only generates a work item requiring manual removal of the entitlement.
You can achieve this via Plugins. We did something similar for Access Request where on clicking submit, it was throwing a popup using a plugin. Similarly you can also try to have a plugin which can intercept the js calls on clicking Save and you can execute your own custom code..
We had similar requirement for Policy violation remediation. It was achieved by creating separate Task and workflow in which Provisioning plan is created based on complex logic and multiple conditions. This is very complex and time-consuming process. Instead, you can try with Plugins as @neel193 mentioned
It was very customized implementation. Scheduled task was checking open policy violations. For open violations, task was triggering workflow. This workflow contains all logic to create Workitem. Once Workitem is completed by clicking on revoke button, next workflow steps calculate and create provisioning plan to revoke access.
As I said, you can go with plugin option. If you want to know more details, we can have 1:1 discussion.