Role de-assignment grace period

Which IIQ version are you inquiring about?

8.4p1

Share all details about your problem, including any error messages you may have received.

We have a request from a customer that when someone in the company moves to a different department and the user has roles assigned with assignment rules in the old department, they want Sailpoint to keep the roles for 14 days (despite the fact that the old assignment rule no longer applies to the user).

Is there any way to somehow postpone the assigment rules or create some sort of grace period for the user?

Regards,Lorant

Hi @lweisz,

I’m thinking of 2 ways.

1. You can use rapid setup mover process with trigger on department:
   
   

   image1401×150 3.82 KB
   
   and in post mover rule you can set the enddate for the identity entitlement.
2. You can create 2 identity trigger: the first one detect the department change and stored the date of change. the second detect the 14 days past of change date and remove the roles

HI Emanuele

thanks for the quick answer. The problem is, that when someone no longer match the assignment rule of the role, Sailpoint will remove the role and the entitlement automatically. How can we do that the entitlements stays at the user even after Sailpoint remove the role?

Regards,Lorant

I think its better to distinguish between birthright role , RBAC role and requestable role .

Now its totally depend on the use case that how user will get access to these roles ?

@lweisz one option you can try to put endDate in RoleAssignment Under Preferences in Identity object.

During move you will know which role you are going to assign or remove so based on that you can play for remove role list.

It will work just like endDate when you request for any role and try to assign end Date.

Let me know.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.