Hello All,
Can anyone help me in this scenario? I need to remove some roles that have entitlements of Active Directory but not all access as soon as the user’s LCS state is set to ‘inactive.’. Is it possible to add the access removal code to a ‘Before provisioning’ rule or any other solution ? As we don’t have the workflow feature in our tenant, that is not an option right now.
Thank you,
Oussama
Hi @Oussamatahiaida ,
To remove the list of entitlements, access profile or roles from Active directory can be configured on the authoritative source Identity profile lifecycle state. By which we can remove some or specific selection of access as per different set of user status under it.
Go through the attached document for your reference: Setting Up Lifecycle States - SailPoint Identity Services
On other hand we can also remove the specific set of access through before provisioning rule but during implementation rule might be complex to implement than Identity profile lifecycle states. Though it’s not a blocker so any of the approaches can be implemented.
IHTH 
You can refer more details about the new feature here New Capability: Remove All Access on Termination - Announcements / Product News - SailPoint Developer Community
Thabk you for the suggestion, but i can not find how we can remove specific access from within the LCS configuration, as the access I want to remove are requestable accesses and not assigned via criteria.
For the before provisioning rule, that means we can manipulate existing access of an identity or remove access there, with some complication but that can be achieved ?
Thank you for the you input Suresh, I have already tested this feature but it does not fulfil this use case, as the “Remove All Access“ removes also aggregated entitlement or discovered entitlement from any source, as the access I want to remove are requestable accesses only, which are removed by the feature but with any other existing access except the Birthright accesses.
You can remove the specific set of entitlement too from LCS configuration for identity by defining it’s unique status( active, inactive, LOA etc). Also if any requestable access are defined for LCS status for removal for which approval is required will be bypassed.
Yes, it can also be implemented by using B/Operation rule. So, LCS can be calculated based on identity cube and then specific access can be remove before terminating the account through the plan.
Got it @Oussamatahiaida, though BP rule doing the job and if you want more control and cost effective, I recommend considering the Workflow with Campaign Filter option where you can be more specific on source and entitlement level accesses for revoking the requestable access items . You can refer it here Workflow to remove ALL leavers’ standing access - Identity Security Cloud (ISC) / ISC Community Knowledge Base - SailPoint Developer Community
If I understand right, you have few roles and want to revoke only some of them. This can be configured under “Define assignment” in role configuration by adding LCS does not equal to “inactive”.
But, if you want to remove some of the entitlements inside a Role while offboarding, it might be a challenge. May be it’s worth considering splitting the role
Hi @Oussamatahiaida,
If the requirement is to revoke certain requested roles or access profiles during the LCS change, you can leverage workflows.
Using the Manage Access action, you can control which accesses to revoke and which to retain.
For more details, please refer to the workflow documentation - Workflow Actions - SailPoint Identity Services
Hi @Oussamatahiaida,
I believe your requirement can be easily achieved using features available in the UI itself. Here is the link to recently announced feature: Remove All Access with a workaround to keep a few entitlements: New Capability: Remove All Access on Termination - #3 by NataliaYunusov
Basically, you do not include lifecycle state: “inactive“ in your role criteria and add the entitlements you want the inactive user to keep in an “Access Profile“. Add the Access Profile to inactive lifecycle state so the user retain them.
Good luck
Hi @UjjwalJain, thank you for the suggestion, yes workflows would work, except the feature does not exist in the tenant I m working with.
Hi @TheOneAMSheriff, thank you for the information, I have tested the feature, the issue I found is that it removes access from all sources and also all discovered or aggregated entitlement.
Hi @iamology, I want to revoke requestable roles when the LCS changes, adding assignment criteria will not work in this case because the role should be requested on demand.
Thank you @suresh4iam, I will look into it, but since the tenant does not have the workflow feature I will stick with BP rules for now.
If you don’t have the workflow feature, best bet would be to make API calls from a PS script connected to AfterModify Native Rule.
Using PAT you can make API calls to get all roles of the user and submit revoke request as well
@iamology Thank you, I went with the same idea you got tested it sandbox and worked, there will be performance issue but it will get the job done.
managing role and access removal during “least privilege” changes is never easy. It always seems like even when you have the policies figured out, edge cases and inherited permissions sneak in. One thing I’ve found helps is to run frequent audits right after a change, and to have a rollback plan in case something critical gets stripped by mistake.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
