I am having few queries related to roles/access profiles/entitlements:
When a user or identity changes his department, ideally the roles/access related to his previous department is removed and the new one is added. But is there a possibility for:
Setting a grace period before revoking his existing roles like using some workflow etc?
Before assigning the new roles, is it possible to trigger an approval to user’s manager?
Before revoking the existing role/access, is it possible to trigger an approval to user’s manager?
you can do this and it would be complex, here’s how you can do it.
Set AD dummy account attribute(today’s date would be value) on department change. You probably can do this using workflows but I have not confirmed this.
keep checking for grace period using that account attribute using workflow and revoke roles on that identity. Those roles would have setting configured for manager approval on revoke. Ideally I would go for access profile revocation instead of role and it would have manager approval configured on revoke.
You can do same for assigning new access.
That said and done I do not think you should add this overhead on managers. In real world managers should not be given too much of IAM decisions as they would have their actual work plus management and on top of this you are adding this overhead on them.
If you add too much of IAM work for anyone , they will start rubber stamping things.
You need to create an identity attribute to store when the department or any attribute changed. Once you have that you can make use of workflows and/or certification to fulfil your requirements.
In IIQ, We would have done that using Lifecycle events (Mover) and is a common requirement. The equivalent for Lifecycle events in IDN is Workflows.
But if a role is assigned to a user based on membership criteria, it will be auto assigned without going for any further approvals ryt? In my case before getting the role provisioned via assignment criteria, the IDN needs to validate which all access will be removed and added and after this validation, it need to submit a request to users managers for confirmation.
In the above scenario which you are explaining, the role must not contain any auto assignment criteria, instead it should be assigned through a workflow based on some identity attribute value.
Please let me know if there is any gap in my understanding.
Yes, Your understanding is correct, user gets/loose the Role immediately once refresh runs.
Roles with criteria cannot fit here, even if it goes for approval and rejected, still you cannot stop assigning the Role.
I don’t think you will be needing approvals like this for all Roles (With or Without criteria), only for some, if yes then manage them using Workflows by not having assignment criteria for the respective Roles, just like we do in IIQ mover Lifecycle event.
If all Roles then,
You cannot have Role with any criteria
Manage All Roles assignment using Workflows
That is huge dependency on Workflows. Also, we need to see complexity and possibilities using Workflows for the current requirement.
One cross-question,
We define the Role assignment criteria carefully.
HR System will maintain the data correctly.
If so, I will say no to this implementation.
For Roles without criteria, you do request through Request Center which anyway has approvals.
→ The correct requirement would be (from my perspective),
We have Roles assigned to user, some are assigned through criteria and some through access requests.
When user move from one department/location/jobTilte…etc to another then Roles with assignment criteria will be removed anyway,
What about Roles assigned through access requests ?
How can we remove them if required ?
Do we need to remove all of them ?
Can we decide what can be removed ?
Then we will suggest to go for certification, you might need workflows to trigger certification campaign here.