I have a requirement to auto reject an access request for a specific profile if the user hasnt completed their training. We are setting the training flag true/false as an identity attribute.
I tried segments to hide the access profile based on the identity attribute. It only works if the request for yourself. If you request for others - you can still submit the request for that person. This looks like a bug to me as it should work for both based.
Until the above gets resolved, is their an access request config that I can use or SaaS Workflows is the only option I have ?
Did you submit a support ticket for the segments issue? I want to make sure this is being tracked.
As for alternative solutions until this is supported in segments, the access request pre-approval event trigger is the best option. However, Workflows doesn’t yet have support for REQUEST_RESPONSE type triggers, so you won’t be able to use this one in Workflows. You would have to use a different approach to leverage this trigger.
As you noted, though, segments should not allow users to request on behalf of others who aren’t in the segment, so that seems like the best path forward.
Do you receive any response on this case? We have a similar case where we configure the Segment but all the users appears on the Request for Others dropdown.
The response from support was that it’s by design. We used a SOD policy as a work around. However, I did submit an idea https://ideas.sailpoint.com/ideas/GOV-I-2021 and the product team is probably looking on how and when they can make an enhancement to meet the requirements.
It would be great if you can vote and comment on the idea.