Greetings,
We tried using the Revoke access API to revoke an entitlement form a specific user. The API is successful however the revocation is not taking place.
The email notification from SailPoint on the same
The email notification from SailPoint on the same
Hi @pgthuku,
The 202 Accepted API response indicates that the request for access revocation has been successfully submitted. However, it does not imply that deprovisioning/entitlement revocation is success. The actual deprovisioning process will occur according to the configurations set in the source/connector.
Could you share more details the source and the access revocation configurations? that might help in understanding why entitlement revocation is failing.
Thank you.
1 Like
The “accessRequestIds” are a list of account activities that resulted from the request. Use the account activities api or search using that id to find out what actually occurred
@pgthuku Can you also share some insights around what type of connector/target system is this where you’re trying to remove the entitlement? For example, if this is a JDBC/Web Service connector, you will have to explicitly make the configuration aligned for access removal. So wanting to understand this
@pgthuku
It seems like you’re trying to revoke an entitlement. Have you enabled the “Enable Entitlement Requests” feature?
@Arshad We are testing with a delimited source, let me try with a JDBC file will update.
Hi @Sushantmr Yes, this feature is enabled all the entitlements are requestable.
UPDATE:
We have done a revocation for an entitlement using a JDBC source.
The request was accepted with code 202
From the email does it mean the revocation request needs to be approved for the entitlement to be revoked?
For JDBC source, the revocation isn’t straightforward. There needs to be a JDBCProvisionRule which must have the bean shell logic of the provisioning/deprovisioning. I just asked that question to understand what kind of source is this deprovisioning happening on. Since you’ve tried it on delimited, you do not need any additional configuration there.
Not necessarily, this email is just to notify about the submission of access revocation request and is part of the email template “Access Revoke Request Submitted For Requester Identity”. If you have enabled “Enable Entitlement Requests” and checked “No Approval Required” in the global settings, you wouldn’t be receiving any approvals. It should directly send a deprovisioning request to the target.
Ideally, this should create a work item under the “Task Manager” tab to the respective source owner, which clearly did not happen. @pgthuku Can you try to revoke the same entitlement from the UI instead of API and see if the task is generated correctly for revocation on the delimited source?
A couple other things to check:
- Make sure the identity doesn’t have 2 accounts in the same source with this entitlement
- Make sure the identity is not getting the entitlement from a role or access profile
- Make sure there are no stuck or pending requests in account activities
- You can try to see if a certification is able to remove the entitlement
Hi @BenNelson Revocation via certification is working fine.
Hi Patrick,
Does it show any error msgs in the Events of that Identity?
Hi Jishnu,
There are no errors it shows that the revocation has been processed.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.