Phase change rule is something I haven’t looked into. Can you please share the references.
@RRR71
This is the option i am taking about .
I can’t recommend this approach, because it involves abusing the CertificationSignOffApprover rule for something it’s not meant to do, which I think is a serious code smell but…
In our environment, for a couple of our certifications, we are hijacking the CertificationSignOffApprover rule to mangle the CertificationAction on each CertificationItem where CertificationAction.Status.Remediated.equals(action.getStatus()). We do this:
action.remediate(
action.getDecisionCertificationId(),
action.getActor(context),
action.getActingWorkItem(),
CertificationAction.RemediationAction.NoActionRequired,
action.getOwnerName(),
null,
action.getComments(),
null,
null);
action.setRemediationKickedOff(true);
Then we create a dummy provisioning plan as follows:
- Set the source, sourceId, and sourceName arguments in the plan
- Create an AccountRequest with an AttributeRequest to remove the entitlement from the account. Looking at our code, I don’t think it correctly handles the possiblity of a role being revoked…
We then store the plan in the CertificationAction with CertificationAction.setRemediationDetails.
That seems to be sufficient to prevent any provisioning, while retaining the decisions made.
If anyone has a cleaner way of accomplishing something like this, I would love to hear about it.
1 Like
After a certain point, this is gonna revoke the access. Was looking if Sailpoint can provide any feature where certification admin or owner can choose if the certification is just for auditing purpose and no related action needed.
Seems using provisioning plan or rule is the way out.
Thanks,
Radhika
Looks like setting up a provisioning rule is the only way.
Yes they should but in fortunately I don’t think any such option exist . To double check you can open Sailpoint support ticket and check with them .
Radhika,
I leveraged certification campaigns for our service account audit for my company. I wasn’t the prettiest but it was a start.
I created a new identity profile dedicated to service accounts that way it was separate from my user accounts and their identity cubes then tied it to an AD connector that specifically pulled in the ldap filter - memberOf=CN=Service Account Active… a group that I created for this process. I did a few VLookups and if an account was in my AD environment, active and was not tied to an associate it was added to this group to be reviewed.
Once I had all of these accounts queried, I ran a manager based campaign in the search function using this entitlement. Noted the manger names and issued several formal communications regarding if this access was revoked these accounts would be disabled. - Revoking of this only removed the accounts from the group so no access would be lost but I would just take the remediation report and disable the accounts if they were revoked.
When a new service account is created we put in alerts if an account that was not an associate was active and if it was missing this Service Account Active group that way it wouldn’t be missing whenever we kick off these campaigns.
Next step is to automate if these accounts are removed from this group through a campaign to disable the account. May need to be done through powershell but have not crossed that bridge as of yet.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.