Is it possible to finalize an access request only after the user responds to a form?

I have some critical accesses where access must be granted upon user acceptance in a form. I thought about using Sailpoint forms so that the user receives access only after accepting the terms contained in the form. Is it possible to do this type of automation?

I haven’t found a way to integrate this form into the request flow.

Hi Bruno,

Yes, it’s possible. The ideal flow would be:

  1. Configure an Event Trigger, ‘Access Request Submitted’, to call a workflow.

  2. Create a new workflow, instantiate your form in this workflow, where the recipient is the targeted identity (using the variable from the trigger).

  3. By default, the workflow will remain pending until the form is submitted by the identity.

  4. After the form step, you can send a response back to the ETS so the Access Request can continue its normal flow.

  5. While the workflow is running, the Access Request will remain in “Access Request Preliminary Processing.”

This way, the identity will only receive access after answering the form.

Hope it helps,
Maria.

4 Likes

We utilize an approval step to handle responses from the end user. We setup a “Service Identity” called something like “Response_Required”.

We then have a few workflows to handle sending the initial form, sending nag emails to the person to complete the form, and another to approve based on the form being submitted.

@raibom you can use https action attaching with the form as shown below

Hello
Is it also possible to stop an automatic assignemend of a role this way?
We have certain roles that get automatically assigned for granting access to some of our company systems. Those systems do sometimes need a check on the available licenses. We do with a provisioning completed trigger but stopping the automatic assignment would make sure the user never gets access before we extended the licenses.

Alexander

Thanks for helping, @mariaLima03,

I don’t understand step 4 where you mention sending a response back to the ETS. Could you clarify what you mean by this?

Sure, when you use the ETS “Access Request Submitted” you need to callback the ETS because this is a ‘REQUEST_RESPONSE’ trigger type. In your case, the Event Trigger should be configured as ‘ASYNC’, so the trigger service will provide a URL and a secret that the custom application (your workflow) can use to complete the invocation at a later time. In this way, your Access Request will only go ahead after all steps on your workflow passed and the callback to your ETS is called.
This callback needs to be called in a HTTP Request action, in the end of you workflow.
Some useful links to help you:
Access Request Submitted Trigger
Responding Event Triggers
Can you please mark my answer as solution? Hope it helps :slightly_smiling_face:

2 Likes