Description
Access Revocation just got a lot more accessible in Identity Security Cloud!
With this release, we’re introducing self-service access revocation, a new Access Revoker user level to designate users who can submit revocation requests on behalf of anyone, an entitlement-revocation approval configuration option, and expanded revocation functionality for managers to include entitlements.
New Capabilities
End users can now revoke their own access through the My Access page when they no longer need it, allowing them to support your organization’s least privilege goals (or at least let go of access that conflicts with new access they need to request!).
Managers can now revoke individual entitlements held by their direct reports, in addition to roles and access profiles.
We’ve also introduced a new user level that grants users the authority to submit revocation requests for anyone so you can authorize people who are neither the user nor their manager to manage revocations for your teams.
And finally, administrators can configure approval requirements for any entitlement revocation request, matching the options that already exist for roles and access profiles. This allows knowledgeable authorities to help prevent errors or accidental revocations.
Note: The basic rules of Identity Security Cloud access management still apply - only requested roles (not auto-assigned ones) and entitlements that exist outside of roles and access profiles will be revocable.
Who is affected?
This is being rolled out to all customers.
Action Required
Administrators are encouraged to set up entitlement revocation approval requirements, to enforce the desired security around that revocation flow. You can set your entitlement revocation approval requirements globally (Admin > Global > System Settings > System Features), per source (via API), or per individual entitlement (Admin > Access Model > Entitlements > Action: Edit > Access Requests).
To designate the users who can revoke for others in your org, you’ll need to add the Access Revoker user level to their identities. Navigate to Admin > Identity Management > Identities, choose an identity, and then use the Actions menu to choose Set User Levels and select Access Revoker.
No special actions are required to enable manager and self-revocation. All users can request their own revocations and all managers can revoke for their teams.
Usage Details
To revoke their own access, users will navigate to My Access, choose an access tab (Roles, Entitlements, Access Profiles), then locate and select the item they want to revoke to view its assignment details.
For roles and entitlements where users may have multiple assignments, an overlay displays item details along with a list of the user’s assignments. From there, they can open the Assignments tab, verify the account details to ensure they’re revoking the correct one, and then select Revoke Assignment.
Because access profiles can only be assigned once per identity, the access profile flow is a little simpler, displaying the item details in an overlay that includes a revoke option if the assignment is revocable.
The same UX flows apply for Manager revocation and Access Revoker, but through different UI paths:
- Managers access their direct reports’ assignments through the My Team page.
- Access Revokers access users’ assignments through Admin > Identity Management > Identities > select an identity > Access.
Important Dates
Sandbox rollout: week of April 28
Production rollout: week of May 5
By RSVP’ing to this event you will be reminded of this release prior.