An expanded access request API which allows you to revoke IDN entitlement assignments.
Previously, IDN would restore entitlement assignments that were removed in source systems unless they were revoked through a user access certification action in IDN. This new API allows you to revoke the IDN direct entitlement assignment which removes the assignment in IDN and de-provisions the entitlement in the source system.
Are there any limitations?
The new API is limited to a single entitlement revocation action per individual access request.
Entitlement revocation approvals are not supported in the initial release.
“Previously, IDN would restore entitlement assignments that were removed in source systems unless they were revoked through a user access certification action in IDN.” → I don’t think this was the case. If you remove entitlement in end system they were not assigned back by idn unless you are using role based assignment. Roles are sticky and they re-provision access back for both category, criteria based or access request based. If you would have assigned those entitlements through application(request centre application) or they were assigned on end system before idn then they were not assigned back in case of removal.
For this new API, if we have 2 entitlements E1, E2 part of Access profile AP1 and AP1 was assigned as part of request centre(through application which is not sticky like role) and if we remove entitlement E1 through api what would happen? Would it still show AP1 access profile assigned to identity or it would remove AP1 access profile, E1 entitlement from identity and only show E2 under accounts.
Is it not possible to revoke access to criteria-based access such as birthright roles?
I am getting this error message:
{
"detailCode": "400.1 Bad request content",
"trackingId": "f475f901f3654f729c30463b1bd53283",
"messages": [
{
"locale": "und",
"localeOrigin": "REQUEST",
"text": "The following access item(s) cannot be revoked from identity (\"79d9dc25223f409090eb0e61bd9304dc\"): 9ec77ae34da84d35ad08ee0d5ba01061. "
},
{
"locale": "en-US",
"localeOrigin": "DEFAULT",
"text": "The following access item(s) cannot be revoked from identity (\"79d9dc25223f409090eb0e61bd9304dc\"): 9ec77ae34da84d35ad08ee0d5ba01061. "
}
],
"causes": []
}
I am guessing that it’s because it is a criteria-based role that manual revocation won’t work, right? I am having the same issue in our deprovisioning workflow that fetches all access, however throws an error if it catches any birthright access at all… We want to deprovision all access at a certain LCS except for 1 birthright role that manages sync to another domain in active directory, therefore this error is messing up with the workflow a bit.
But in regards to the queston, am I right that it isn’t possible to revoke birthright access manually?
Hi Sebastian, You’re correct. It’s not possible to revoke access that has been assigned through role criteria but the response should have indicated that. So I’m not sure if that’s what caused this error. Can you provide details of the request?
Patrick
In IDN entitlement assignments are sticky as well as roles. If the assignment is removed in the target system, IDN will attempt to re-provision the access on the next identity refresh/aggregation.
In this case, IDN would remove AP1 from the user since they will no longer have all of AP1’s entitlements. The user would continue to have E2 assigned.
In IDN entitlement assignments are sticky as well as roles. If the assignment is removed in the target system, IDN will attempt to re-provision the access on the next identity refresh/aggregation.
Are all source entitlements “sticky” or only the ones directly requested via access request in IDN? If only the ones requested in IDN, how do you identify which ones are “sticky”.
Hi @johnpaul_tran, only the entitlements which are requested through Access Request are sticky.
There is currently no good and best way to find out which ones are sticky but you could use the “Completed Access Request Approval API” to get list of all entilement approvals. (Entitlement Request Approval should be enabled)
What would cause an entitlement revoke to return the message "some items are not revocable" - does the sticky entitlement circumstance apply with the message posted earlier in this post as well? ``The following access item(s) cannot be revoked from identity"
It was originally received through a role, and at some point, it appears the entitlement was removed from the role, and after this, the role was removed from the identity, so the entitlement was not removed - recreating this particular series of events has not been an easy task - nevertheless - the entitlement is listed as “revocable:false” so I’m sure the same applies.