 |
Description | Workflow and Form to selectively prolong roles that were removed by a mover event commonly referred to as an access grace period. |
 |
Legal Agreement | By using this CoLab item, you are agreeing to SailPointâs Terms of Service for our developer community and open-source CoLab. |
 |
Repository Link | Github - Delayed Role DeProvisioning |
 |
New to Workflows in the CoLab? | Read the getting started guide for Workflows in the CoLab. |
 |
Supported by | community-developed |
Overview
When an employee transitions to a different job title or department, itâs imperative to maintain uninterrupted access during this period. This approach allows the individual ample time to finalize ongoing projects and smoothly integrate into their new position or department without hindering business operations.
This process enables a manager to selectively prolong specific roles and determine the duration of such extensions. It effectively identifies any roles that have been removed due to an identity refresh prompted by changes in job title or department. This is achieved by comparing post-change identity snapshots with the most up-to-date records available.
Currently, the workflow can extend up to 10 roles but possesses the flexibility to accommodate up to 30 if necessary. Nonetheless, extending 10 roles has proven sufficient for the majority of organizations.
Requirements
You must have an Identity Now tenant with the Workflows and Forms features enabled.
Guide
To upload these templates into your Workflows environment, follow these steps.
-
Download the Form and Workflow templates from the repository link above.
-
Import the Form template:
a) Using VS Code, navigate to the forms section in your tenant directory. Right-click on the âformsâ section, and âimportâ the Form template you downloaded from the git hub link above.
b) Alternatively, import the form using this endpoint, Import form definitions from export. -
Import the Workflow template:
a) Replace these tokens in the template file with your tenant values:%%API_URL%%
%%OAUTH_CLIENT_ID%%
%%ADMIN_EMAIL%%
b) Create a new workflow in the Workflow dashboard and select the âStart with a JSON Fileâ option. You will be prompted to select a file from your computer. Select the template and click âContinue to Builderâ. -
Replace the Worflow oAuthClientScerets.
a) UI Option: Open Workflow > Edit in Builder > update client secret in the following steps:
Get Identity History Snapshots
Get Identity History Snapshots
Get Identity History Snapshots
Make Role Unrequestable
b) VS Code Option: Open the imported workflow from your tenant directory. Search for the key âoAuthClientSecretâ (total of 4) and insert your client secret value accordingly. Note that this secret will not encrypt in the file until you make modifications via UI & save.
Fusion Connector Consideration
If you are using the Fusion Connector in the same environment, add an offset URL parameter in the âGet Identity History Snapshotsâ step. It should look like this:
"urlParams": {
"limit": "2",
"offset": "1"
}
The offset is needed because the logical layer of the Fusion Connector adds an identity refresh.