Send Email after the provisionning done for an Access Request done through the Request Center

Hello,

I would like to generate an email to the requestor and the receiver of an access request when all the provisionning operation are done, as we have in our context some manual provisionning (and at this stage the notification of the validation is not sufficient to notify our users). We would like to take into account only the request done through the Request Center.

I was wondering how we can do this with a workflow, and to be honest i do not see the way to do it…

Do you have an idea on how to achieve this ?

You may be able to use the Access Request Decision Trigger:

Then use the requestedBy and requestedFor to get each Identity, look up their Email and use the Send Email Action:

How are requests outside of the Request Center being made? I do not think there is any metadata about where the request originated, but you could potentially utilize the comment field to filter out any automated requests so those emails are skipped. For example:

"comment": "Automated: VPN Access for Alex"

Then skip any that start with “Automated”

Access Request Decision JSON Sample:


{
    "accessRequestId":"4b4d982dddff4267ab12f0f1e72b5a6d",
    "requestedBy":{
        "id":"2c91808b6ef1d43e016efba0ce470906",
        "name":"Adam Admin",
        "type":"IDENTITY"
    },
    "requestedFor":{
        "id":"2c91808b6ef1d43e016efba0ce470909",
        "name":"Ed Engineer",
        "type":"IDENTITY"
    },
    "requestedItemsStatus":[
        {
            "approvalInfo":[
                {
                    "approvalComment":" this is an approval comment",
                    "approvalDecision":"APPROVED",
                    "approver":{
                        "id":"2c91808b6ef1d43d016efba0cf470910",
                        "name":"Stephen Austin",
                        "type":"IDENTITY"
                    },
                    "approverName":"Stephen.Austin"
                }
            ],
            "clientMetadata":{
                "applicationName":"My application"
            },
            "comment":"requester comments",
            "description":"Engineering Access",
            "id":"2a91808b6cf1d43e016efba0cf470904",
            "name":"Engineering Access",
            "operation":"Add",
            "type":"ACCESS_PROFILE"
        }
    ]
}
    

Hello,

If i’m correct, access decision is raised after the validation steps and not after the provisionning of the access.

In our use cases, we could have several days between validation and provisionning.

I’m not aware of an “easy” way to do this, but I’m assuming IDN is provisioning some access and then there are additional manual steps needed in the downstream source(s).

If so, we’ve solved this by using another source that only supports manual provisioning to the Security Team (i.e. manual provisioning only goes to the Source Owner - a different challenge). Then we build an access profile and associated role that has a dependency on the first provisioning. In essence - the role criteria matches when an identity gets Source 1 Entitlement A and then assigns Source 3 (the manual source) with an entitlement specific to the additional work needed. Definitely a bit of a hack and not ideal, but it solves the issue.

2 Likes

This is exactly the type of case that we have : roles with different sources entitlements (including manual provisionning sources).

But how can we manage to send a notification to say to the user his request is fully managed (all rights included in the role are provisionned). We thought about sending notification for each provisionning finalized, but the user will receive a lot of emails.

I’m a bit lost on how to send this kind of notification. At this stage, we only have notification to notify the user when the request is approved (after the validation steps), and some specific notification based on specific group provisionning (for example to send the link of an app to the user).

Part of the challenge is the way IDN does provisioning.

Example: A role can result in numerous downstream sources receiving 1 or more entitlement assignments and each of these are individual items in provisioning.

There’s not a good way to know when a single source is fully completed (i.e. all requested/needed entitlements assigned).

In theory - if using automated provisioning, once approved it should be only a few minutes before the actual entitlements are assigned and likely before the end user would read the email noting it was approved. But the user wouldn’t be notified for anything that is a direct result of group membership role assignment.

I’ve seen other IAM tools handle the provisioning differently with an available trigger once everything is completed, but IDN doesn’t have this functionality currently.

I fully agree with you @edmarks ! For most of the request, as it is done by IDN, provisionning will be automated.

I was searching on a way to create a custom workflow to detect that everything is completed and then could launch another workflow as a “trigger” to cover this missing fonctionnality in IDN. If someone here has any input or idea for this that would be a good starting point ! :slight_smile:

If it is not possible, then we’ll have to do some change management with users to ensure they will follow their requests in the dashboard of IDN :slight_smile:

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.