Can a user with the new “Access Revoker” level change the lifecycle state of other users?
Hi @abattou -
No, Access Revokers can see the lifecycle state of other users, but the edit option for that field is disabled. Likewise, the edit option for changing assigned user levels are disabled.
1 Like
I granted one of our users the Access Revoker user level and it is now asking for them to set up a multi-factor authentication on a mobile device. We already have the Symantec VIP code required for login. Is an additional multi-factor required?
@tami_otto
I checked with our auth team and learned that this is related to a security feature we added for admin users a while ago. Because this revoker functionality is accessed under the Admin path, it applies to these users as well.
They do need to set this TOTP configuration up ONE TIME. They will never actually need to use this unless they have a need to log in to ISC independent of your SSO path (e.g., if your identity provider were unavailable and they needed to get in to ISC to revoke someone’s access). But they do need to follow the instructions provided here: Configuring Multifactor Authentication - SailPoint Identity Services to set this up once.
1 Like
What’s the latest timeline for the Entitlement Revocation release?
Is it still planned for this week?
I am not sure whether the changes are implemented or not based on recent posts. But when I assign Access Revoke level the person don’t see any change in their Access or view.
I also don’t see Managers can do or end user can also request for Revocation.
Entitlement revocation is being rolled out this week. All customers should have the functionality by the end of Thursday (May 22).
When you assign the Access Revoker user level, that user should see the Admin menu in their top menu bar and should have the Identity Management page visible under it.
Managers should see the My Team card on their home page and end users should see the My Access card. Revocation is supported from those pages as documented here: Requesting Access Removal - SailPoint Identity Security Cloud User Help
If these things are not working for you as described, please open a support ticket for help.
2 Likes
Hi @jennifer_mitchell ,
Today, we have noticed that for the roles granted via access request showing up as revocable “No” in the Admin page but displaying “Yes” for the managers in the “MyTeam” view. Is something changed? Do we have to enable something for allowing the assignment revocation for the “Admins” and the “Access Revoker” identities?
From Admin UI:
From MyTeam UI:
Thank you.
Shanmukh
4 Likes
The screenshots need to be updated to reflect the changes implemented in the new updates.
That’s right @Shanmukh
Exactly what I’m facing right now too in my customer environment:
Access (be it roles/access profiles/entitlements) requested through Request Center manually could earlier be revoked where a button with Revoke Assignment would show up. Now for some reason I don’t see it being an ISC admin.
@jennifer_mitchell Can you help checking how do defects land up in customer environments without being internally tested. The clients are equally frustrated on why they can’t see this option any longer.
Would really appreciate your inputs on this.
Thanks,
Arshad.
1 Like