Hey Team, just a thought that occured to me just now:
Why is there only an option to set expiration date on an access request and not start date? Customer is now wondering becaysecus, for example for movers, they want to prepare some user access when the day of department change occurs, hence the need for a future start date on the request.
If we need to add this functionality, is it even possible?
Thanks,
Seb
Based on my understanding, you are looking something like this. User request a access and once it is requested and it should be granted based on the department mover start date. Based on that my comment is below
At this point, it is not available out of box functionality but this can be achieved through an workflow.
Something like below flow
Create a new workflow in that have a logic if requested entitlement is part of the access where it needs to be granted based on the future date, then grant it.
Kind of flow have included and i think, it can be achievable
Would you not want to manage this using Birthright roles?
Not in this particular case, no.
The application is a bit complex in the sense that it is a two-dimensional entitlement structure and there are also external workflows that need to be processed manually after provisioning and before provisioning. We have a workflow set up for this, triggering on Event Trigger: “Access Request Submitted”.
In short: no we can’t use birthright roles in this case.
My question is mostly out of curiousity however, seems to me like a basic functionality and therefore if it’s an architectural choice or not to implement it.
Hi @Swegmann,
There is a popular idea submitted for this, you may want to take a look.
This really is a feature most other IGA tools have and it is obvious that IDN’s Access request module needs a lot of improvements.
I would indeed catch the start date from this new assignment in ISC and then trigger a workflow based on that.
Here is my Idea, see if it is feasible for you.
Here one problem I think is, Approvals should not be delayed.
Alternatives:
Alternative is, if this is not a request based and doesn’t need approvals then you can handle this using Conditions in Roles/AccessProfiles.
Let’s say user request for a blank Role/AP, approved and assigned. Then based on this empty Role/AP auto assign the actual Role/AP once the date arrives.
May be it is better to create a custom web application for Access Requests and call the APIs, I have seen this kind of implementations in IIQ. If you go this way, sky is the limit.
I don’t say that it will give you 100% solution, but I guess it is a starter. I agree that, if it could have been OOTB feature, it would have been simple. There are different workarounds which might be feasible or not subjective to your requirements.
Thanks
Krish
Hey Krishna this is a great idea, customer doesn’t have the Forms module unfortunately! We are also already using Access Request Submitted Event trigger for a different workflow (You can only subscribe to 1 trigger at a time).
I think for us going forward we just have to wait and see if the functionality will arrive in the future.
I will continue looking into some simple custom ways meanwhile, as it is a global requirement and submitting an idea, there is no guarantee that it will be considered, if it is considered who knows when it will be available for use.
I will keep you posted.
Thanks
Krish
My recommendation would be to have a parent workflow that subscribes to the Access Request Submitted event trigger and then calls child workflows based on the particular access event. That way you can service multiple use cases from one workflow, as it will contain the conditional logic to determine which child workflow should pick up the work.
Definitely vote on this idea. PM is aware of this and are planning on adding it to the roadmap, but no confirmed ETA at this time.
