Hello everyone,
Currently there are two approval processes defined regarding access requests. One is the grant approval flow and the other is the revoke approval flow. Both can independently be configured where we can specify whether comments are required and who (0, 1 or multiple approvers) should review the request. At the very core the goal of having these approvers are:
- Grant approvers: Ensure that receiving this additional access does not lead to problems (security risk, compliance, etc.)
- Revoke approvers: Ensure that revoking this access does not lead to problems (Employees not being able to perform work-critical actions, deprovisioning a particular role might trigger (lengthy or costly) processes that should not occur accidentally, security risk in case the access actually corresponds to NOT being able to do something, etc.)
In general it is quite easy to determine which approval flow needs to be called. If you request a role for someone who does not have the role yet, the grant approvers are needed. If you want to revoke a role that someone has, the revoke approvers are needed.
It becomes interesting when we consider expiration dates. At that point a lot more cases can occur that we need to take into regard. Imagine an identity and any access object and letβs consider these 4 states:
- The identity does not have the access object
- The identity has that access object where the expiration date is 1 month from now
- The identity has the access object where the expiration date is 2 years from now
- The identity has the access object where there is no expiration date
Now we should determine for each possibility which approval flow we would want to be called when we make a request to go from one state to any other state. To me, it makes most sense that, in order to satisfy the goals of the approval processes, the following behavior occurs:
- State 1 to State 2,3, or 4 β Grant approval process as the identity will simply receive access.
- State 2,3, or 4 to State 1 β Revoke approval process as the identity will simply lose their access.
- State 2 to State 3 β Grant approval process as the identity will get prolonged access. If we consider the delta of the request, we basically ask for this identity to receive access between 1 month from now and 2 years from now.
- State 3 to State 2 β Revoke approval process as the identity will lose the access earlier. If we consider the delta of the request, we basically ask for this identity to lose access between 1 month from now and 2 years from now that they would otherwise keep.
- State 2 or 3 to State 4 β Grant approval process as the identity will get prolonged access since we completely remove the expiration date.
- State 4 to State 2 or 3 β Revoke approval process as the identity will now lose access (just not now, but in the future) that they would otherwise keep
In general if changing to a state with a larger number means gaining access, going to a state with a lower number means losing access right?
We want to ensure that no one can bypass the revoke approval flow simply by requesting the access you already have, but then with as expiration date choose tomorrow.
So to determine whether to use the grant approval flow or the revoke approval flow, we should need to take BOTH the begin state and end state into account.
Please let me know if you agree/disagree here.