Hello everyone
I am integrating the Oracle ERP application with the native connector of Sailpoint Oracle ERP Cloud, some roles will be added to the accounts by birth and also through access request, the question I have is if when the account is disabled the connector will be native will withdraw all the roles assigned to her by birth and upon demand, does anyone know if she does this natively?
I hope you can guide me
greetings.
Depending on your use case there are two different mechanisms to automatically provision access: Lifecycle States and Roles.
With Lifecycle States, you can provision an access profile that all users who are in that lifecycle state will receive. For example, all identities may need an access profile that provides a base Active Directory account or a self-service account in the ERP. The entitlements from that access profile will remain provisioned as long as the identity remains in that lifecycle state. If the user moves to another lifecycle state that does not include the access profile, say “inactive”, the access will be removed during identity processing.
If you are using Roles with membership criteria to provision access, whether the access remains when the user is disabled will be based on your criteria. For example, if you have a role that is assigned to all identities with the Title of “Accounts Receivable Analyst”, you can add into your criteria Lifecycle State is active. When the user moves to the inactive Lifecycle State, the role and its access will be removed.
Access that was provisioned by request is not automatically removed by default. However, you can add a Before Provisioning that can remove all entitlements when the user is being disabled.
Alicia
Hi @jacob_islas,
It depends how you are using the condition to assign and remove the Role access.
Kindly go through below documentation to get better understanding of configuration.
If there is anything specific, then let us know.
Thanks
Hil Alicia
Thanks for your answer.
I have built a workflow to remove these entitlements through an Action-HTTP Request to the API https://mydomain.api.identitynow.com/v3/access-requests placing this entry as a request in a Operator-Loop:
{“requestType”:“REVOKE_ACCESS”,“requestedFor”:[“{{$.loop.context.id}}”],“requestedItems”:[{“comment”:“Remove Roles in Oracle ERP Cloud due to user termination “,“id”:”{{$.loop.loopInput.id}}”,“name”:“{{$.loop.loopInput.name}}”,“type”:“{{$.loop.loopInput .type}}”}]}
but it returns a 400 code with this detail:
“child workflow execution error (type: sp-child-workflow, workflowID: c11d1ae7-0fb6-49b3-8d6a-6e18cf035b97-1, runID: 0b70e8b6-4626-4653-b6a7-ce117ed2c9e7, initiatedEventID: 29, startedEventID: 30): task failed: activity error (type: sp:external:http:v2, scheduledEventID: 11, startedEventID: 12, identity: d86127ff-1e99-44fc-8275-b50d57aefd4a): request failed (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request - {"detailCode":"400.1.3 Illegal value","trackingId":"a9faac3ed096425286231f17ac7bf323","messages":[{"locale":"en-US","localeOrigin":"DEFAULT","text":"Value of \"item.type\" is empty or contains invalid data."},{"locale":"und","localeOrigin":"REQUEST","text":"Value of \"item.type\" is empty or contains invalid data."}],"causes":} (type: withStack, retryable: true): task failed: activity error (type: sp:external:http:v2, scheduledEventID: 11, startedEventID: 12, identity: d86127ff-1e99-44fc-8275-b50d57aefd4a): request failed (type: HTTP Response Returned a Client Error, retryable: false): request failed: 400 - 400 Bad Request - {"detailCode":"400.1.3 Illegal value","trackingId":"a9faac3ed096425286231f17ac7bf323","messages":[{"locale":"en-US","localeOrigin":"DEFAULT","text":"Value of \"item.type\" is empty or contains invalid data."},{"locale":"und","localeOrigin":"REQUEST","text":"Value of \"item.type\" is empty or contains invalid data."}],"causes":} (type: HTTPError, retryable: true)”
I have tried in postman to send the same request and it sends me the same code 400 although here it specifies the following message:
“Some items are not revocable due to role assignment”
Some of the entitlements to be removed, not all, are contained in roles. According to the message that the postman returns to me, is it not possible to remove them if they are contained in roles?
So, if we generate a beforProvisioning rule it would be better and this would not happen or does it also have this limitation?
Greetings
If the entitlements are part of a role and the user is a member of that role, you will not be able to remove the entitlement. You must remove the role first.
Alicia
Hello everyone!
I was finally able to solve this use case through a workflow with an http call to the IdentityNow API to remove roles that have the revocable parameter set to true. Thanks for your comments, they were very helpful.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.