Fail Safe for inactive accounts

Which IIQ version are you inquiring about?

Version 8.2

Share all details related to your problem, including any error messages you may have received.

We been running into a lot of situations where a termed identity after a while will become active again. If a user gets batched or a business role is created and does not explicit have the assignment filter for employee statues. I wanted to know if anyone knows a fail safe we can implement to help prevent this from happening

Hi,
Depending on requirements there are few options which you can use.

1. Identity trigger on termination to remove all assigned role (it won’t work for roles assigned via the assignment logic)
2. Identity trigger on reinstate to recertify all accesses (good thing is you can even revoke roles assigned by the assignement logic)
3. Enforce in the role modeler workflow that all role which have assignment logic must have relation to staus unless explicitelly approved)
4. Policy violation to detect combinations that are violating your policy - you can do that either on identity or role level
5. Identity trigger to remove all roles on reinstate but see point 1 and 2

For the Policy option I haven’t done much with that. But that would seem like the quicker option what would be the best approach taking this route.

I would say solution 1,2,4 and 5 are similar in case of effort but they give you slightly different outcome.
If you want to create policy to detect this kind of situations - the easies way is to create advanced policy for that

on the screen you see policy configured for one particular role - you can either maintain list of roles that are interesting for you manually in the rule or you can chast change Selection Method to rule, script or population to make it more dynamic.

I will go this route and test it out. Thanks for the assitance

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.