Hi there Colin, nice implementation!
Is it not possible to revoke access to criteria-based access such as birthright roles?
I am getting this error message:
{
"detailCode": "400.1 Bad request content",
"trackingId": "f475f901f3654f729c30463b1bd53283",
"messages": [
{
"locale": "und",
"localeOrigin": "REQUEST",
"text": "The following access item(s) cannot be revoked from identity (\"79d9dc25223f409090eb0e61bd9304dc\"): 9ec77ae34da84d35ad08ee0d5ba01061. "
},
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The following access item(s) cannot be revoked from identity (\"79d9dc25223f409090eb0e61bd9304dc\"): 9ec77ae34da84d35ad08ee0d5ba01061. "
}
],
"causes": []
}
I am guessing that it’s because it is a criteria-based role that manual revocation won’t work, right? I am having the same issue in our deprovisioning workflow that fetches all access, however throws an error if it catches any birthright access at all… We want to deprovision all access at a certain LCS except for 1 birthright role that manages sync to another domain in active directory, therefore this error is messing up with the workflow a bit.
But in regards to the queston, am I right that it isn’t possible to revoke birthright access manually?
Best regards,
Sebastian