Grant access without going through the request center

Identity Security Cloud (ISC) ISC Discussion and Questions
, , ,
1

Hi All,
Anyone know a way to grant access to users without going through the request center. The downstream source is Active Directory, so an entitlement or access profile would sufice.

We have multiple hierarchy groups for an application in our environment and a requirement to add all employees to the least group in the hierarchy at onboarding but contractors have to get any of those groups by requesting them in the request center after the access is approved. Contractors access if fine. No problem :).

For employees however, it made perfect sense at first to put the least hierarchy group into the birthright role for employees.
The issue is that, users might get upgrade to higher hierarchy group down the line and they need to be removed from that group and then added to the next level group higher up the hierarchy. They cannot be in multiple hierarchy groups at once as that breaks the application.
Having user be in only one group at any point in time means we cannot use birthright groups for this.
Secondly, there’s a number of these sort of groups in the environment and I prefer not to have a roles created for every one of them as it doesnt make sense to have a role with only one entitlement in each of them.
Thirdly, since we want the least of these groups assigned at onboarding, we dont want any approvals fired off for employees. Request center wont work for this third requirement as contractors can abuse it and get unapproved access.
In summary, is there any automated way to grant employees birthright access to entitlement or access profiles without using roles and without requiring any sort of approval workflow? It’s very important to not have employees going to request center for this.
Thank you for you input.

1 Like
2

Hi @Ola51 ,
One way is to use workflows for this use-case.You can trigger a workflow when accounts are aggregated on AD source, then it has to call the http action node to create a access request then it has to call a action node- to approve access request.By this method you can grant access.I’m not whether it will work but you can try this out.
Thanks!!

3

You could still use Request Center, but then use segmentation to ensure that only employees see the access that is required under the ‘non-approval’ part.

Segment 1 - Employees Only
Access profiles that have no approval as per this requirements

Segment 2 - Everyone (Employees & Contractors)
All roles, access profiles, etc. that are normally requestable.

See here:

The alternative is indeed to setup a workflow with a trigger that performs the access request automatically, the choice of trigger is yours (see the documentation)

4

Thank you. I explored the workflow option already. But because the resource is configured with an approval requirement (for contractors), even if I set up a filter on the trigger to fire off on employees alone, its generating an approval still, with all of those access request emails that we do not want to see for employees.
I’m going to have a look at segments and see if that might work.
Thank you

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.