This is available in all sandbox and production tenants.
New Workflow templates enable admins to auto-revoke entitlements that are added out-of-band.
What are native changes / out-of-band changes?
Native changes, or out-of-band changes, occur when application admins provision access external to Identity Security Cloud. For example, a helpdesk user might use Active Directory Users and Computers to add groups to an account instead of instructing the account’s owner to submit an access request.
See the original Native Change Detection announcement for more details.
How do I implement the templates?
Admins should implement two templates using Workflows > + New Workflow > Start with a Template.
- Revoke Entitlement Additions Detected as Native Change Account Created template is for native changes detected during Account Creation operations, which executes with the Native Change Account Created trigger.
- Revoke Entitlement Additions Detected as Native Change Account Updated template is for native changes detected during Account Update operations, which executes with the Native Change Account Updated trigger.
This assumes you’re using the recommended default configuration to monitor changes to all entitlement attributes for all account operations (Create, Update, and Delete).
Recommended default configuration
What do the templates do?
These templates are identical in function except for the trigger that executes them. Here are the major steps:
Submit a Revocation Request for Each Entitlement Addition
The loop will submit a revocation request for each entitlement addition that is detected in the native change event. Revocation requests use the Submit an Access Request endpoint using requestType: REVOKE_ACCESS.
The loop will skip entitlements with null ids since revocation requests require a valid id. Entitlements with null ids are detected during account aggregations but not found in the entitlements database. This scenario occurs when entitlement aggregation is run after account aggregation rather than before. Update your entitlement aggregation schedule if this issue arises.
Send Revocation Summary Email
This action sends an email to the source owner detailing each of the entitlement additions the workflow processed.
The Status column will print “Initiated Revoke” if the entitlement had a valid id. Otherwise, it will print “Skipped Revoke (Null Entitlement Id).”
Could I see the template diagrams?
Revoke Entitlement Additions Detected as Native Change Account Created
Revoke Entitlement Additions Detected as Native Change Account Updated
What’s Next on the Roadmap?
Admins will be able to get started fast using Workflow templates to:
- Send a notification email when native changes occur.
- Micro-certify entitlements added through native change.
Submit Questions or Feedback
Submit questions or feedback, and we’ll be in touch.