how to find an access for an identity got provisioned though birthright or through access request in sailpoint isc.
Do we have any API which can tell us this
Hi @bkumar592 ,
Just wanted to add on from my end, please check the value called revocable –> false which means that access was provisioned through an automated assignment.
Identities –> acess –> select access item –> revocation.
Hope it helps.
Kind regards,
Aayush
2 Likes
Thanks for the response Aayush, I am looking for something like how the access got provisioned like though birth right or through access request. Revocable true applicable for Role, if I am not wrong, but looking for answer from entitlement wise and also do we have any API for the same
Hi @bkumar592
I think you should try to explore revocable attribute which is available when we run search API for identities in access section.
If the revocable is set as True for any Role , that means that access can be removed from access request. If it is false, then for Role most likely it is due to the fact that this access was assigned as birthright access.
For birthright provisioning, i think commonly a role should be preferred. Are you using entitlement here ?
IF it is on role level then, then for entitlement specifically, i think you can also explore standalone attribute which as per my understanding specifies whether the entitlement is inherited from role and access profile or if it is standalone and not coming from any where. This information could help you identifying these entitlements which are assigned via birthright role.
I hope this helps, if you have any queries, please feel free to let us know.
Regards
Vikas.
Hi @vguleria
Thanks for the response, for role, yes I can see an attribute which tells revokable as true or false, but the question is only on the entitlements that were provisioned to the user as part of access request and I can see that standalone as false, so want to know whether standalone false is through the access request or not.
Does standalone false means that the access is not provisioned as part of birth right?
Thanks
Hi @bkumar592
Can you please confirm what is the current setting for your tenant. For example, do you have access request enabled for the entitlements or just the roles.
And how are you adding the birthright criteria, is it only on roles or is it also via entitlement (not sure though how that will work).
Thank You.
Regards
Vikas.
@bkumar592 Not sure about the API, but from the UI, for particular identity, you can check in the Identity Management → Access History. E.g. if the item has been provisioned via access request, will be shown below as following:
What’s the business requirement that got you down this rabbit hole?
e.g. Assume you’ve got your answer “Yes, this was given via birthright, or not it as via access request.”…then what? What are you actually tackling, end goal?
Hi Terry,
As part of inactivity management for AD we are planning to revoke the entitlements that are provisioned through access requests.
Thanks
Narendra
Only revoking ISC-requested access? Or would you like that to cover all non-birthright access (e.g. including entitlements granted via out-of-band means)?
yes, you are right anything apart from birthright has to be revoked
You can potentially bounce the LCS to termination and back to some inactive state (which could give them stripped down birthrights). While in the termination state, do a Remove All Access. Since the user is ‘inactive’, it should not have any user impact.
Or you can create a self-closing auto-revoke certification.