We have requirement to create identity request for each deprovisioning transaction that goes via Certifications, Policies, etc.
We are thinking of using IntegrationConfig to capture these provision request and launch LCM provisioning workflow for all deprovisioning.
Is there a way that we can configure IntegrationConfig to rely on source of the provisioning plan and pass to connector/intergationconfig accordingly?
Hi @mckiran12 - You can also launch the LCM provisioning workflow from the Connector After provisioning rule or Certification sign off rule. This is less complex than the integration config approach. When we add integration config, The integration config should also perform target operation for the incoming provisioning request after creating the Identity request.
1 Like
Hi @nithyamn13 , But provisioning had already been completed . Because in case of policy etc , provisioning and deprovisioning happened using internal Sailpoint API’s . If Workflow is getting launched from after provisioning rule , access had already been removed , not sure it will provide any benefit . Just a thought.
1 Like
Hi @mckiran12 ,
If it is for limited applications , then probably in before provisioning rule , on the basis of source , you can launch the LCM workflow and remove the items from plan . LCM Workflow will generate the identity request and will do the provisioning . your before provisioning rule will not remove the item because source will be different when it will come from LCM workflow . You would have to do your due diligence for performance impact etc.
1 Like
Hi @harsh_gupta4 ,
I have tried your option.
I have launched workflow(LCM Provisioning with disabling approvals, policies, notifications) in the before provisioning rule, it was able to launch workflow as expected with all needed plan/account request and also emptied plan in before provisioning rule(plan=null) so that nothing is going to provision with original request, but for some reason it still goes to provisioning though I emptied plan in the before provisioning rule after successful launch of workflow.
Hi @mckiran12 ,
Just double Check provisioning might be going through from LCM Provisioning Workflow . Also lets try dropping the Account Request From Plan , instead of setting null . Good to know that we are getting there . Just little hiccups 
1 Like
There are multiple options you can use. Below are two that we can implement:
- Signoff Rule:
In this rule, you can set RemediationKickedOff to true and create a provisioning plan that will be attached to the action. You can invoke a custom workflow and pass the provisioning plan into it. Within the custom workflow, you can either use the IdentityRequest API to create an identity request or leverage the out-of-the-box (OOTB) workflow.
if (action.getStatus().equals(CertificationAction.Status.Remediated)) {
action.remediate(..........);
action.setRemediationKickedOff(true);
ProvisioningPlan provPlan = new ProvisioningPlan();
accReq.add(attrReq);
provPlan.add(accReq);
provPlan.setArguments(attrProvPlan);
action.setRemediationDetails(provPlan);
// call workflow here and pass the provisioning plan as argument.
After Provisioning Rule:
You can use an After Provisioning rule to trigger an independent workflow based on a condition, specifically, if the provisioning plan was initiated from a certification object. This allows you to apply custom logic post-provisioning, ensuring actions are only taken when triggered by certification related events.
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.