Is there an option to Mass revoke access in IdentityNow? Currently access can be revoked via manager access revocation, cert campaign revocation or API revocation. We recently received a request from an IT Manager asking if we can mass revoke access since they wanted to revoke over 500 access profiles in user’s app account. Any best practices?
Without knowing more about the criteria for mass revoking, I would think the single identity cert campaign is the ideal approach since it is built in to the UI and allows the manager to choose which items to revoke.
If the IT manager already has a list of access items to revoke, then you could utilize the submit access request API to create a single request to revoke specific items.
Thank you, Colin. The manager wanted to revoke access for a single identity. But they needed to revoke over 600 access profiles and a cert campaign would provide a similar experience wherein they have to individually revoke every single access profile in the list for an application. Will revocation via APIs provide us a proper audit trail? Our team did think of that but were wondering if it is acceptable from an audit standpoint. A future enhancement could be having revoke at the application level as well as access profiles, roles and entitlements which is far less time consuming and will revoke any app access the user has.
The cert campaign would provide the best audit experience, as you can easily get the report details from that particular campaign. If you go the API route, you would have to query the API and build a report using the get completed access requests API, which wouldn’t be as straightforward.
There is actually another way to do this via the UI, with an option to perform the same steps via API if necessary.
- Nagivate to the search tab in IDN, and click on the “Certification Campaigns” item in the sidebar.
- Create new campaign. Search for access.
- If you can get all of the access items you need to certify from a single search query, select All Access Items Returned by a Query. If you need to run multiple queries and then select individual access items from each result set, select Specific Access Items that I Select. I’ll use the second option for this demo.
- Run as many queries as you need while adding the access items you want to the campaign.
- Once you have added all of the access items you want to the campaign, click Certify Access. You will be presented with an option to certify all identities that have this access, or a set of identities that you choose. Select the latter option to pick out the individual identity you want for this campaign.
- Add the identity to the campaign and click Continue. Now you will see the familiar cert campaign details screen where you will actually create the final campaign that will be activated later.
1 Like