Looking for guidance on Account Certifications (excluding Entitlements, APs, and Roles)

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

:bangbang: Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

Hello All,

The problem

I have a use case where I need to create a certification to a specific source and disable that access if it is not needed. This would need to be done in two phases:

  1. For correlated accounts the users line manager
  2. For uncorrelated accounts (most of which are non-human accounts) the source owner.

What I have done

I have been scouring the forums most of the day and it seems like this is not possible. There is only the ability to certify Entitlements, Access Profiles and Roles. The users in question are still employed, but just do not need access to the application anymore.

I am able to pull the correlated users based on the query @accounts(source.name: source1), but when setting up the certification I cannot select anything that would disable/ delete the account.

Call for help

Am I trying to do something that ISC just is unable to do, or has someone found a solution to this yet.

Here are posts that I have already checked out, but they are dated by a bit.

2

Hello @michael_mckeehan Unfortunately, deleting or disabling accounts on access reviews is not possible in ISC. This can be achieved only through lifecyclesates.

If you want to disable the account when someone revokes the specific entitlement, then this can be done using BeforeProvisioning rule. E.g., If manager revokes entitlement “ABC”, then disable the account. But this approach may not fit your requirement.

3

Thanks for confirming. Using the before provisioning rule may be fine if it were just an account or two, but we are looking at potentially 100 or so accounts that this would be applied to. I would think that this would be a basic thing that any IGA tool would provide (ability to manage accounts independent of lifecycle states). I guess a trip to the Ideas Portal is in my future.