Hi
When certification is signed off by the reviewer, SailPoint performs the actions based on the reviewer’s decision. If any of the actions like revoking access or entitlement failed, how can we trigger notification or capture the failed actions or re process the failed actions automatically after few seconds?
Thanks in advance.
the clean way to notify/capture failed “revoke” actions from certifications is to listen to Provisioning Completed (not “Certification Signed Off”).
Certification Signed Off only tells you the certification moved to End (it does not carry provisioning success/failure details).
Provisioning Completed fires after ISC provisions, and provisioning events occur in Certification, so it’s the right trigger to detect failed revokes and notify.
recommended pattern
1. Create a Workflow or Webhook subscription on Provisioning Completed.
2. Add a trigger filter to only fire on failures, for example:
$[?($.errors.length() > 0)]
3. In the workflow, send email / Slack / ServiceNow ticket including fields from the trigger payload like trackingNumber, sources, recipient, errors, and accountRequests (so you know exactly what failed).
Certifications only provision removal for access acquired through Access Request. Certifications cannot revoke access acquired via role membership or lifecycle changes—so if the item is role/lifecycle-driven, remediation won’t work (or will be re-granted).
For “auto reprocess after a few seconds”:
ISC doesn’t provide a native “retry in seconds” for certification remediation. If you truly need auto-retry, implement it inside the workflow (e.g., Wait, re-check access still exists, then re-attempt via your remediation process / ticketing).
If that solution work for you mark as solution
To close the issue
Amr
@amrdodani Doesn’t ISC immediately submit revoke requests as soon as the approver marks the access as revoked ? or will it wait till the approver signs-off the campaign ?
when the reviewer clicks Revoke, that’s a decision recorded (still changeable). ISC does not submit the deprovision/remediation request at that moment. The platform initiates removal of revoked access when the certifier signs off the certification (and then it’s immediate/automatic for direct-connected sources, or becomes a manual remediation task if the source can’t be provisioned)
Use the available trigger “Provisioning Completed“ with filter on action as “certification” and “accountRequests.provisioningResult” as “failed”“ and take the required action like resubmit an access request to revoke or to send an email etc.
status: Failure AND created: [now-1d TO now]
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.