Is there a way to remove all accesses of a specific application for terminated identity?
I am building a workflow using Get Access and Manage Access actions. But, the problem is that a few roles are not enabled for accessRequest. So, how can we achieve this?
Thanks,
Ashish Kumar
If those roles are based on membership criteria, the user will be removed from them only when the user stops meeting the specified criteria.
Those are getting removed automatically after identity termination. We have a requirement to remove the rest of the accesses irrespective of assignments.
You can use Before Provisioning Rule to remove the rest of access during the account disable operation.
Hi Ashish
To get a better understanding, can I know how was the role assigned to the user initially ? If you’re looking to disable the accounts, you might have tried “Source Accounts to disable” option using lifecycle state provisioning within Identity Profiles.
Can you please elaborate your use case a little more?
What are the “rest of the accesses” that users? Your approach may have to vary depending on how are these accesses assigned to users
To assist you more effectively, kindly provide additional details about your specific use case. As mentioned earlier, employing a “before provisioning” rule is one approach to accomplish the desired outcome.
We have an SE, @mostafa_helmy, who just created a workflow for this exact purpose. He may be able to share it with the community.
For some clients, we have used a small piece of Professional Services config that was able to do this (and more) with simple configuration work. I believe if you reach out to your SailPoint contact, they will be able to help you set this up.
Use Case:
Identity has already been terminated (all associated accounts have been disabled).
Identity still has access left on the disabled accounts. Access details are as follows:
Assigned via a role with assignment criteria (they are getting removed automatically after termination)
Assigned via request center requesting application. (could be access profiles or entitlements)
Wanted to remove these access profiles and entitlement.
This would be great if the ask can be achievable using workflow. I am able to remove a few access using workflow but unable to remove those whose access request option is disabled but somehow they are assigned to users via application assignments.
I just posted my workflow configuration doing exactly that here! It relies on a targetted micro-certification campaign which we autocomplete and revoke all access, which means it avoids all the trouble you face by doing it with Access Requests.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.