Can a user with the new “Access Revoker” level change the lifecycle state of other users?
Hi @abattou -
No, Access Revokers can see the lifecycle state of other users, but the edit option for that field is disabled. Likewise, the edit option for changing assigned user levels are disabled.
1 Like
I granted one of our users the Access Revoker user level and it is now asking for them to set up a multi-factor authentication on a mobile device. We already have the Symantec VIP code required for login. Is an additional multi-factor required?
@tami_otto
I checked with our auth team and learned that this is related to a security feature we added for admin users a while ago. Because this revoker functionality is accessed under the Admin path, it applies to these users as well.
They do need to set this TOTP configuration up ONE TIME. They will never actually need to use this unless they have a need to log in to ISC independent of your SSO path (e.g., if your identity provider were unavailable and they needed to get in to ISC to revoke someone’s access). But they do need to follow the instructions provided here: Configuring Multifactor Authentication - SailPoint Identity Services to set this up once.
1 Like
What’s the latest timeline for the Entitlement Revocation release?
Is it still planned for this week?
I am not sure whether the changes are implemented or not based on recent posts. But when I assign Access Revoke level the person don’t see any change in their Access or view.
I also don’t see Managers can do or end user can also request for Revocation.
Entitlement revocation is being rolled out this week. All customers should have the functionality by the end of Thursday (May 22).
When you assign the Access Revoker user level, that user should see the Admin menu in their top menu bar and should have the Identity Management page visible under it.
Managers should see the My Team card on their home page and end users should see the My Access card. Revocation is supported from those pages as documented here: Requesting Access Removal - SailPoint Identity Security Cloud User Help
If these things are not working for you as described, please open a support ticket for help.
2 Likes
Hi @jennifer_mitchell ,
Today, we have noticed that for the roles granted via access request showing up as revocable “No” in the Admin page but displaying “Yes” for the managers in the “MyTeam” view. Is something changed? Do we have to enable something for allowing the assignment revocation for the “Admins” and the “Access Revoker” identities?
From Admin UI:
From MyTeam UI:
Thank you.
Shanmukh
4 Likes
The screenshots need to be updated to reflect the changes implemented in the new updates.
That’s right @Shanmukh
Exactly what I’m facing right now too in my customer environment:
Access (be it roles/access profiles/entitlements) requested through Request Center manually could earlier be revoked where a button with Revoke Assignment would show up. Now for some reason I don’t see it being an ISC admin.
@jennifer_mitchell Can you help checking how do defects land up in customer environments without being internally tested. The clients are equally frustrated on why they can’t see this option any longer.
Would really appreciate your inputs on this.
Thanks,
Arshad.
1 Like
Please note the Addendum section recently added to this announcement – in addition to adding the Access Revoker user level to users through the admin Identities page, you can also use the IdentityNow source’s entitlement to enable access requests for it or to add it to roles as needed.
Is it possible to restrict users with the Access Revoker role so they can only initiate access removal requests for specific sources?
Context and Observations:
- One of the advantages of assigning the Access Revoker role is that it allows designated users to initiate access removal requests immediately—especially useful when a manager is unavailable.
- However, a limitation is that users with this role can currently raise removal requests across all source types. For example, if Source A requires support users to have the Access Revoker role to manage its access, those same users could also initiate removal requests for other, unrelated sources.
- Introducing approval workflows for removal requests could mitigate the risk of accidental removals. However, this introduces a potential side effect, particularly for termination scenarios, where access should be revoked automatically and without manual approval delays.
- Is it possible to scope or restrict the Access Revoker role to allow access removal only for certain sources?
- If we decide to introduce approval steps for all access removal requests, is there a way to bypass these approvals in specific scenarios, such as automated termination workflows, to ensure timely deprovisioning?
1 Like
Limiting Access Revokers to certain sources or source types is not currently possible. It is something we can consider for the future but is not currently planned. As far as bypassing approval goes, the option you have is that if the requester (the revoker in this case) is the approver, you can use the auto-approval config option (part of access-request-config) to indicate that the request should auto-approve. Otherwise, at this time there is no option (nor currently planned work) to allow approval bypass.
Another consideration is that there should be tight controls on users removing the LOCKED_USERS “User Group” on SAP. Some entitlements should be flagged as non-revocable to prevent users from inadvertently or maliciously removing critical access restrictions. This is crucial for maintaining security and ensuring compliance with organizational policies, as certain user groups or entitlements are intended to enforce restrictions or limitations based on user classification. Allowing such entitlements to be revoked without oversight could lead to significant security vulnerabilities and compliance issues.
Hello guys,
I’m having an issue in production where the administrator can’t revoke access. The screen keeps loading and then receives a timeout. An administrator performing the same task, and the page loads normally. Is anyone else experiencing this issue?
We’ve already investigated whether the issue could be network-related, but it isn’t.
Has this been moved into the Service Now Service Catalog Integration? We just tested it and it doesn’t seem to allow it inside of the SNow integration.
We would love to see a new field be added “revokable” that would control if users are able to remove the entitlement, independent of it being requestable.
For larger organizations with multiple support and application teams it is considered a risk to grant global permissions to groups with limited authority. having the ability to limit access revoker to a specific source / set of access profiles / application(s) would go a long way to help larger companies/agencies.
1 Like