Is there a way to remove a user from an Access Profile from UI?
Hi @pkgupta1 . It depends on how the access profile was assigned to the user, which is typically done through roles. Roles can be assigned to identities automatically through a membership criteria condition, or manually through a membership list. For example, if a user was manually assigned a role that contained the access profile via a membership list, simply remove them from the role.
If the identity was assigned the role through some criteria condition, then you need to make sure the identity doesn’t meet the criteria, either by updating an attribute on the identity or modifying the membership condition. In this example, the condition for access to this role is if the
title account attribute on the
Employees source is “Developer Advocate”. You can remove the identity by modifying their title on the source, or by changing the condition.
@colin_mckibben We can assign the access profile also through application option in request center. My question is around that only: When I assign access profiles to a user and would like to remove is there a way.
Also is sailpoint planning to give remove access tab anytime soon like we have in identityiq.
@pkgupta1 Typically the way this is done is by running a certification and revoking the access profile that way. Otherwise, another way to do this (outside of IDN) is to remove the entitlements on the account in the target source and then running an aggregation. This assumed there is no role associated with the access profile.
I believe you can also remove an access profile via API, by submitting an access request
We use API as Jason described above to do this in our environment.
However the question around how to do it via the UI, the only option at the moment is for the user themselves or the 1up manager to remove it via the “My Access” and “My Team” dashboard items:
Unfortunately the request centre for some reason does not give a “remove” option. Probably because the approval workflow for removal is separate from the request workflow and seems to have defaulted to blank. If SailPoint were to enable this functionality in the request centre it’s quite feasible a lot of organisations would suddenly find themselves in the situation where anyone could remove anybody else’s access to anything without approval!
One thing you can do in the request centre though is to simply request the access and assign an end date of tomorrow.
Not an ideal solution, but it works.