Hi @SarahKhan, thank you for your responses. I have some responses to this.
- We have noticed this and we had to update ALL access profiles that were not assigned to applications to prevent SailPoint from suddenly making them requestable without our intervention. I think making access profiles requestable by default is violating the principle of security by design. Since access profiles don’t have any approvers configured by default, they should also not be requestable by default. Now each time before you create and enable an access profile, you have to perform steps to prevent it being an access profile that is requestable by everyone for everyone without any approval needed. Roles are also not requestable by default after creating/enabling a role so why are access profiles?
- Then this is allowing end users to bypass a security control. They can bypass the revocation approval process this way. The UI is using the wrong requestType here in my opinion.
- Perfect, thank you!
- Perfect, thank you!
- I haven’t seen your answer to question 5 yet. Could you please take a look at it?