I have a requirement to introduce a new flow to assign the WorkItem to another group while the Certifier of the WorkItem is revoking it.
Could someone please advise, if it is feasible to implement, If yes, pls advise how ?
With the minimal information you provide for your new flow I think it might be a good idea to understand the Certification Phases. As it looks like the answer (ak you new flow) is already part of the Revocation phase.
So after a an access review (by manager, app owner, …) [Active Phase], there can be a Challenge Phase where the users can challenge the decisions made. THe Revocation Phase can be used to send out work-items to different identities/workgroups.
There are rule-types available to set specific assignments of created work items (for example WorkItemEscalationRule.
It might be a good idea to elaborate a bit more on what your requirement is, so we can provide a better/more specific answer/advice.
– Remold
Hi Remold, Thanks for your quick response.
Here is my requirement: As per the existing flow, when the certifier revokes any workItem it goes to servicenow and creates a ticket for revocation of Access, however as per the current requirement it should go to another level of approval assigning to a particular workgroup, and based on their decision it will go to either ServiceNow or an email notification will be sent to the certifier mentioning why cannot be revoked.
Hi Remold, Any advise on my question?
There are 2 things in your question:
- another level of approval assigning to a particular workgroup
- decision it will go to either ServiceNow or an email notification will be sent to the certifier
Here are my thoughts on both points:
-
This can be done in the ‘challenge phase’ of the certification. Where you can use a ‘CertificationPhaseChange’-rule to change the assignment of the revocations to a particular workgroup (See Rules in IdentityIQ for the ‘CertificationPhaseChange’-rule)
-
a) Lots of Email Notifications can be set for the challenge phase, see:
b) ServiceNow tickets are basically created based upon a (de-)provisioning. There is a way to create a custom ServiceNow connector where ticket can be created ad-hoc when needed (we have one created for multiple customers which I am not allowed to share).
More information on the ServiceNow integration can be found on the SailPoint documentation site.
So yes, it is possible to meet your requirements, but it is quite advanced to set it up. My advice is to contact a SailPoint Global System Integrator Partner or Professional Services to set this up.
– Remold
1 Like
Thanks Remold for the valuable information.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.