Hi! We have a client which has the tipical workfow that removes all access from some identity, where it reaches some inactive LCS. It works almos always, but sometimes we are reported of entitlements that, although we see that workflow triggered a revoke access request, it get stucks. We were told this could be some known issue called Sticky Entitlement, and that the Before Provisioning rule has now some form of dealing with it. Some one has faced this?
Aparrently is at the ISC level, revoke access request is performed through API, API returns 202 but some entitlements may be not be removed.
You can use Before Provisioning Rule to loop through all the assigned entitlements and remove it which could be a custom written code.
Since you are using Workflow, you can handle it in Workflow itself by using Certification Campaign. I have implemented the same scenario using Workflow as below.
Solution Summary:
- Trigger the workflow when identity’s LCS changed to inactive.
- Get the identity details by using Get Identity action.
- Create a search-based certification campaign to remove all the standing accesses using HTTP Request action.
- Filter: create exclude CAMPAIGN_FILTER to exclude default AD groups and add it to the campaign. This will avoid the deprovisioning errors in ISC on some unremovable default AD groups like Domain Users and add if any other access items to be excluded.
- name: Give the appropriate name for the campaign
- Set the autoRevokeAllowed:true
- Set mandatoryCommentRequirement:NO_DECISIONS
- Set the searchCampaignInfo
"searchCampaignInfo": { "query": "{{$.getLeaverIdentity.id}}", "reviewer": { "id": "Manager_ID", "type": "IDENTITY" }, "type": "IDENTITY" }
- Activate the certification campaign by using Activate Certification Campaign action.
- Auto complete the campaign
- Set the variable and assign current Timestamp
- Update the Campaign deadline to today’s date by assigning variable value using HTTP Request action
- Update the campaign by setting autoCompleteAction: REVOKE
If no access items listed for an identity, then the certification campaign will auto complete before the Workflow activate it. So, you can handle the error using Error Handling in step 4.
I feel it is better than Before Provisioning Rule because,
- Simple and can remove all accesses in one area (cert campaign). Provides you concise information in the campaign.
- Gives overall control in a Workflow for access removal to all the target sources.
- Avoids workflow loop which has array limitation (no more than 100 items or 512KB) when an identity has large no.of entitlements.
- Gives flexibility to ignore the access items or sources from removal operations by using exclusion campaign filter.
You can also check this post for other approaches and the above is similar to option-1, Workflow to remove ALL leavers' standing access.
Problem is… that client’s auditors does not permit to use certifications for other goals rather certification…
Okay, then I believe you have 2 options.
- Using Before Provisioning Rule to remove all the entitlements: Below is the sudo code and you may need to build the entire logic on top of it.
String LCS = (String) identity.getAttribute("cloudLifecycleState");
if (nativeIdentity != null && ("inactive".equalsIgnoreCase(LCS)))
{
List groups = new ArrayList();
String domainUsersDN = "Domain Users FDN"; //To avoid domain user group removal error
groups.add(domainUsersDN);
accountRequest.add(new AttributeRequest("memberOf", ProvisioningPlan.Operation.Set, groups)); //This will hold only domain users group and remove everything else.
}
- Request the entitlements through access profile instead of direct entitlement request to avoid the sticky entitlements.
Hope this helps you.
2 Likes
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.