How to remove access profiles from ISC GUI assigned to a user

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi everyone,

We have developed an application consisting of access profiles in ISC GUI. When ever the request is submitted through request center for any user after approval user is assigned access profiles.

We would like to know how to remove an access profile from any user that has been assigned through ISC GUI Request Center?

Thanks
Kalyan

2

Hi @kalyannambi2010,
Unfortunately, as an ISC admin, there is no GUI based option to remove/revoke access profile for an identity at this point in time. An admin can only submit role/entitlement revocations from GUI. However, there are below workarounds for revoking access profiles:

  • If you’re the manager of the identity that you want to revoke access for, you can navigate to Home tab > Click on ‘My Team’ > Search for the identity and request access profile revocation from there.
  • You can always create a certification campaign only for your target identity using search, make yourself the reviewer and revoke the access profile of the identity
  • And finally, the simplest approach is to use APIs with requestType as REVOKE_ACCESS : create-access-request | SailPoint Developer Community

Hope this helps.

Thanks,
Arshad.

3

Hi @Arshad thank you for the update and could you please provide the option details on where can an admin can only submit role/entitlement revocations from ISC GUI?

Thanks
Kalyan

4

@kalyannambi2010, Inside your admin tab:

  • For role revocation : Navigate to “Access Model” tab > Click on “Roles” tab > Search for your role and click on “View Details” > Select “Identities” tab > Search for your user and click on “View Assignments” > Select “Revoke Assignment”
  • For entitlement revocation : Navigate to “Access Model” tab > Click on “Entitlements” tab > Search for your entitlement and click on it > Click on “Identities” tab > On the right extreme, you’ll find revoke button.

Note : You can only revoke roles/access profiles/entitlements that were manually requested from SailPoint. Any access that was added birthright cannot be revoked.

Hope this helps.

Thanks,
Arshad.

5

Hi @kalyannambi2010,

Please check the given below link to Deprovisioning with Access Profile. Please read this you will get some idea.

Thank you!

6

Hi @Arshad thank you for the update.

In my ISC application we have some access profiles granted to some users through ISC Request Center and they are granted. But when we navigate to those access profiles Navigate to “Access Model” tab > Click on “Access Profiles” tab >Search for your “Access Profiles” and click on “View Details” > it is not displaying identities that have been assigned these “Access Profiles”. But when navigate like “Identity Management” tab> " Human Identities" select the particular identity it is showing “Access Profiles” under “Access” tab.

Thanks
Kalyan

7

Hi @kalyannambi2010 ,

Correct, The ‘Identity’ option is available only for Role and Entitlement, but not for Access Profile.

Thanks.

8

@kalyannambi2010 , this is exactly what I’ve mentioned in my initial response. You wouldn’t find the identities tab inside access profiles like how you see it for entitlements & roles.

Even if you navigated from “Human Identities” tab and look at the access tab, it would just show you what access is assigned on the identity. You cannot directly revoke it from that screen.

No matter how you’ve navigated to view the access profiles on an identity, the GUI based revocation capability is not available on ISC for access profiles. This is definitely a loss of functionality from SailPoint.

Hence, you can leverage any of the 3 options that I’ve suggested to accomodate removals of access profiles.

Thanks,
Arshad.