I’ve onboarded a new source in SailPoint IdN with SCIM 2.0 SaaS connector and launched a bi-annual certification for user access reviews. I’ve a requirement to stop the direct revocation of user access from certification campaign. Is there a way to keep the access as is without revocation and do the revocation manually?
When the certification reviewer does revocation from the certification campaign it should not disable or directly delete the access from the target system. Instead revocation has to be done manually from the application owner side. Please let me know.
If you change the source to get rid of the feature flag “PROVISIONING”, any change will turn into a manual task (internally in ISC/IDN, or in a ticket if you have a ServiceDesk integration configured).
The downside to this is that it will affect all provisioning activities towards that source, so I am unable to judge if that will be an issue for you.
Hi @abhijit_shekki ,
To add to what @sauvee mentioned, the ISC connectors currently only function as a connected or disconnected connector. I believe there is no semi-automation available at the moment.
I was thinking during the revocation step in BeforeProvisioningRule, If I can check the ProvisioningPlan → AccountRequest operation is disable/delete then just send the new ProvisioningPlan() object and this way connector will ignore revoking the access, right?
Will this approach work in SailPoint IdN. Please let me know.
If this is applicable to all the times the access is revoked then it could work. Operation will be a Modify, not Disable or Delete, since those are only to actually disable / delete the account not the access.
I’d like to add one more point: The operation for access revocation from the request center and from certification will be the same. Therefore, a method needs to be found to determine whether the revocation is for access-revocation or certification