Notifications for Entitlement Owners Being Terminated or Deleted

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

:bangbang: Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

Please consider addressing the following when creating your topic:

  • What have you tried? I have tried setting up the ISC Governance Connector as well as building out a workflow for this. I would prefer to figure out the workflow. Kinda surprised more users have not requested for this

  • What errors did you face (share screenshots)? No errors as I cannot build a proper workflow or see how this will work.

  • Share the details of your efforts (code / search query, workflow json etc.)? I tried copilots suggestion of a workflow, building a search query…nothing seems to give me the any indication it will work which is why I am not going to post my findings.

  • What is the result you are getting and what were you expecting? No results. Just wondering if anyone has anything built for notifying when owners or approvers are removed from a entitlement or access profile. Thanks

2

Hi @mikenawara

Can you please share more about the requirement for your workflow.

3

Hi @mikenawara

You can set up a notification using a General Policy:

  • A good starting point for the search query would be - owns.entitlements.name:* AND attributes.cloudLifecycleState:deleted
  • The violation owner can be set to your required person

Hope this helps!

4

Ok this is actually super helpful! I am going to test this out…do you happen to know of a way to setup a violation for approval governance groups that have no identities assigned? Or some sort of a policy that would notify for if there are no approvers? I am going to look into this as well. Thank you!

5

To explain further…our auditors have required all of our entitlements being requested for (specifically AD) have a proper approver and show it is happening. Since we have well over 2,000 active directory security groups there are plenty that are asked within our ticket system which our helpdesk looks at the AD groups “managed by” section or SailPoint to see who the owner is for approval. Since users come and go many of these go blank and require us to locate a new owner on the fly. For requirements, I would like to have an owner\approver for all of my active directory security groups needed and get notified when someone who is an owner\approver leaves our company. I have found that the keeping this accurate on the AD side is not great. I want to have it all managed in sailpoint. Addiitonally, I have another 400 roles with many governance groups that I would like to get notifications if the group goes empty. Maybe I am asking for too much or need to approach this a different way? Thanks