Via the “Request Center” I know that it is possible to add entitlements but how would it be possible to achieve the following for both EndUsers and Admin Users?
Remove Entitlements from an Account: How can EndUsers and Admin Users easily remove a specific Access Item (either a Role, Entitlement or Access Profile) from an existing account?
Add and Remove Access Items: Is it possible to remove an existing Access Item from an account and simultaneously add a new entitlement within a single request?
Prevent Duplicate Access Item Requests: When adding an Access Item to an account, the system currently allows duplicate requests. I would expect the system to either:
Block the request if the account already possesses the Access Item.
Display the Access Item as an option to “Remove” from the account instead of adding it again.
Account Activation/Deactivation
How can EndUsers and Admin Users easily disable an account?
How can EndUsers and Admin Users easily enable an account?
I need to make these functionalities available to end users with a following approval step. Similarly, focalpoint users should be able to start any of the aforementioned cases and then have an approval phase.
For each of these cases so do you suggest to create a form and a dedicated workflow?
Are there alternatives to accomplish any and all these scenarios?
Add and Remove Access Items simultaneously is not possible
Prevent Duplicate Access Item Requests the system automatically discards duplicates but only after the workflow has started. There is no standard OOTB feature to prevent this
The only point missing is the Entitlement removal. I think it would be possible in this way but I need your expertise to advise possible problems:
Entitlement Removal Form. Create a custom Form in which is possible to select the target account.
Within this Form, search for all entitlements associated to the target account and display them in a dropdown box. Make the entitlements selectable to the end-user
“Recap for Approval Form”. Create a custom Form dedicated to approvers where they can see details like: the requester Identity, the target account and the target entitlements to be removed
Create a custom workflow to start with a dedicated Launcher
When started, the worflow presents the “Entitlement Removal Form” to the end-user.
When the form is submitted, the workflow initiates an approval phase showing the “Recap for Approval Form” to the approvers with all the mandatory details
Upon approval, the workflow calls SailPoint ISC APIs to remove the selected entitlements
Entitlement Removal Form. I believe what you are proposing can be done with a form/workflow. The trick is the trigger. As seen in the video from Uday, you can request a role for a given user, which will trigger your workflow. The form would then know who you are targeting and could be populated with the user info and entitlements. Recap for Approval Form. On the “entitlement removal form” submission, a second workflow could ingest the selections and generate additional forms to send to the approvers. I don’t know how many entitlements a user might have in your environment, but be aware that you will likely need a loop in your workflow and there are limitations on how many items a loop can iterate through. There is also a concern about overloading approvers with email. Someone more experienced than I may have an elegant solution, but off the top of my head, I am picturing one email per removal. So, if you are pulling the user out of 5 groups, then the workflow would send out 5 emails, and if a single approver owns several of them, then they are going to get multiple emails. Maybe that is not a concern in your environment.