Dear community,
How do you manage your governance groups ?
We are facing the same issue every now and then where people leave the organization and access requests get stuck, because members of the Governance Group are now down to 1 person who is OOO i.e.
Or we have things where certain departments are involved, obviously no one from the department informs the Admins of the change and again, people are wondering why they don’t get the approval when their colleagues do (because they weren’t added manually…)
There is currently so much manual effort behind Governance Groups and I was wondering if we just maybe are doing the governance part of the groups wrong or if we should build our own app outside of ISC to govern the groups.
Thank you for any insight !
Hello,
Yes, I Agree this is a very common problem.
Lets say if there are 2 users in a Governance Group and 1 is on leave, then, the entire work pressure comes on single person.
Hence, proactive approach would be that the person who would be on leave should re-assign his work items to someone else.
This can be done in ISC by configuring “Work Re-Assignment” tab in your identity cube in SailPoint ISC. Refer the below screenshot.
Hence, its combination of both things.
- Technical can be achieved using WORK REASSIGNMENT functionality in ISC
- Also, Due Diligence has to be followed by person going OOTB or leaving the organization.
Happy to help more.
Thank You,
Regards,
Rohit Wekhande.
Thanks for your input Rohit.
We are aware of the “Work reassignment” part, but this again requires an end user to be diligent and set this up when they are OOO or an Admin to do so on behalf of the users when they are already gone 
.
While we are trying to promote this as much as possible, it still doesn’t solve people leaving etc.
Ya, when the people leaves. That becomes problem.
You can use a powershell script or ISC workflow to dynamically add or remove the users from a Governance Group using below APIs.
High Level Algorithm.
- Start
- Call the API named as “List Governance Group” members.
- Get the List of identities assigned to that Governance Group
- Check the LCS state of the identity. If its “inactive/disable” (whichever LCS state you use in your organization to mark the identity which has left the organization), then, call the API named as “Remove Members from Governance Group”.
- Then, Call “Add members to Governance Group” API and assign a peer or his manager to it so that we have seemless flow and approval in place.
Note → You can also add forms in ISC workflow where you can ask Manager to provide consent and provide the name of peer which can take the place of employee leaving the organization.
Think about the above.
Regards,
Rohit Wekhande.
1 Like
Ooh that looks like a good idea ! I’ll look into this 
Thanks! I am glad you liked the idea/solution
you can onboard identity security cloud governance connector , this will be helpful to manage governance group and userlevel as a entitlement
3 Likes
