Deny Access Removal Requests

Problem: There are a few entitlements that users have that should NEVER be removed via an access request in ISC. Currently there is no way to block certain entitlements from being removed.

I have created an entitlement attribute named “denyAccessRemoval”. I want to set this attribute on a few entitlements that should never be requested for removal. When someone requests the removal of an entitlement with the denyAccessRemoval attribute, I want to kick off a workflow that will simply cancel the access request.

Is this doable? Or is there some better way to approach this problem?

Use the Access Request Submitted Request/Response trigger and a workflow to achieve this. I had a similar use case when we only wanted certain people submitting access requests, so the workflow checked whether or not the user had a particular entitlement and returned approved=false if they didn’t

OK, that makes sense to me, but I’m struggling to find the “Access Request Submitted” trigger. I’m looking in the Triggers in the Workflow editor, but I only see “Access Request Decision”. I also looked at the Event Triggers view and I only see “Access Request Decision”.

Am I missing something?

It’s because it’s a request-response trigger and not available in the workflow editor. You use the External Trigger.

Follow the instructions in the blog post I linked

Hilarious. There are 26 triggers, with 25 showing per page, and the “Access Request Submitted” trigger was on the second page, so I totally missed it.

OK, I followed the blog post and I have a workflow working, but I don’t have the logic working yet.

I need to do this:

1. Check to see if the request is a “remove” operation
2. Call the /entitlements endpoint to get the requested entitlement metadata
3. Check the metadata for an attribute named “entDenyAccessRemoval”
4. If that attribute equals “true”, deny the request

I am struggling to know how to get the data for each of the steps above. How can I get the operation and the entitlement ID?