Delayed Role Deprovisioning Workflow


:spiral_notepad: Description Workflow and Form to selectively prolong roles that were removed by a mover event.
:balance_scale: Legal Agreement By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab.
:hammer_and_wrench: Repository Link Github - Delayed Role DeProvisioning
:open_book: New to Workflows in the CoLab? Read the getting started guide for Workflows in the CoLab.
:hospital: Supported by community-developed

Overview

When an employee transitions to a different job title or department, it’s imperative to maintain uninterrupted access during this period. This approach allows the individual ample time to finalize ongoing projects and smoothly integrate into their new position or department without hindering business operations.

This process enables a manager to selectively prolong specific roles and determine the duration of such extensions. It effectively identifies any roles that have been removed due to an identity refresh prompted by changes in job title or department. This is achieved by comparing post-change identity snapshots with the most up-to-date records available.

Currently, the workflow can extend up to 10 roles but possesses the flexibility to accommodate up to 30 if necessary. Nonetheless, extending 10 roles has proven sufficient for the majority of organizations.

Requirements

You must have an Identity Now tenant with the Workflows and Forms features enabled.

Guide

To upload these templates into your Workflows environment, follow these steps.

  1. Download the Form and Workflow templates from the repository link above.

  2. Import the Form template:
    a) Using VS Code, navigate to the forms section in your tenant directory. Right-click on the ‘forms’ section, and “import” the Form template you downloaded from the git hub link above.
    b) Alternatively, import the form using this endpoint, Import form definitions from export.

  3. Import the Workflow template:
    a) Replace these tokens in the template file with your tenant values: %%API_URL%%
    %%OAUTH_CLIENT_ID%%
    %%ADMIN_EMAIL%%
    b) Create a new workflow in the Workflow dashboard and select the “Start with a JSON File” option. You will be prompted to select a file from your computer. Select the template and click “Continue to Builder”.

  4. Replace the Worflow oAuthClientScerets.
    a) UI Option: Open Workflow > Edit in Builder > update client secret in the following steps:
    Get Identity History Snapshots
    Get Identity History Snapshots
    Get Identity History Snapshots
    Make Role Unrequestable
    b) VS Code Option: Open the imported workflow from your tenant directory. Search for the key “oAuthClientSecret” (total of 4) and insert your client secret value accordingly. Note that this secret will not encrypt in the file until you make modifications via UI & save.

1 Like