I’m looking for guidance and best practices for a requirement in SailPoint Identity Security Cloud (ISC).
Current Environment
We have hundreds of Active Directory groups onboarded as entitlements in ISC.
These groups are provisioned directly and are not assigned through RBAC roles.
Access to these groups is reviewed through certification campaigns.
Requirement
When a reviewer revokes a user’s membership in one of these AD groups during an access review certification, we need an email notification to be sent to the appropriate team responsible for that group.
The notification should ideally include details such as:
User whose access was removed
AD group name
Certification campaign name
Reviewer/certifier
Date and time of removal
Approach Under Consideration
My current thought is to leverage ISC Workflows:
A certification decision results in the removal of an AD group entitlement.
A Workflow is triggered based on the access removal/provisioning event.
The Workflow determines whether the removal originated from a certification campaign.
The Workflow identifies the responsible recipient (either the entitlement owner or a mapped distribution list).
An email notification is sent to the appropriate team.
Questions
Is there a standard ISC event trigger that can reliably identify entitlement removals resulting specifically from certifications?
Has anyone implemented a similar solution using Workflows?
Would it be better to trigger from:
Access removal/provisioning events, or
Certification completion events and then process the revoked items?
If entitlement owners are defined, is there a straightforward way within Workflows to dynamically notify the entitlement owner?
Are there any scalability concerns when monitoring hundreds of AD group entitlements through a single Workflow?
I’d appreciate hearing how others have solved similar requirements and whether there are any recommended SailPoint-native approaches that I’m overlooking.
Don’t think there is a trigger specific for this use case.
Not exactly. We had to notify certain BU owners when a privileged access is revoked (no matter how it was revoked)
It would be better to use the certification completion event just because the provisioning events can be triggered in multiple ways. You will have to still end up relying on campaign report to validate if the deprovisioning is triggered due to certification revocation.
Should be pretty straight forward if you have the owner details
It will come down to how you are monitoring the deprovisioning
The approach you can take would be something as following if you want to do from workflows:
Have a certification completed trigger (signed off trigger will complicate the next step)
Get the certification access items using API. This will give the each user and their corresponding access with the decision. You can filter based on access model you have included in the campaign
Iterate through the result using a loop and then trigger the notifications for each.
Limitations:
Emails will only be triggered after the certification completion rather than sign-off
For each revocation, there would be a separate email that will be sent. You will not be able to collate the emails.
Hi @rajrout2024,
I came across a similar use case where I needed to disable an account when access was revoked through a certification. To achieve this, I used a Provisioning Completed trigger to capture the event and then filtered it based on the action received in the trigger.
I know your use case is a bit different, but I thought I’d share this approach in case it helps. I’ve attached a screenshot of the workflow for reference.
In the trigger payload, you will receive the action type (for example, Certification, Access Request, or other actions). You can validate the action from the trigger output and proceed with the required logic based on the action type. I have attached the screenshot below for your reference.
