Sticky Entitlements

Identity Security Cloud (ISC) ISC Discussion and Questions
, , , ,
4

You can use Before Provisioning Rule to loop through all the assigned entitlements and remove it which could be a custom written code.

Since you are using Workflow, you can handle it in Workflow itself by using Certification Campaign. I have implemented the same scenario using Workflow as below.

Solution Summary:

  1. Trigger the workflow when identity’s LCS changed to inactive.
  2. Get the identity details by using Get Identity action.
  3. Create a search-based certification campaign to remove all the standing accesses using HTTP Request action.
    • Filter: create exclude CAMPAIGN_FILTER to exclude default AD groups and add it to the campaign. This will avoid the deprovisioning errors in ISC on some unremovable default AD groups like Domain Users and add if any other access items to be excluded.
    • name: Give the appropriate name for the campaign
    • Set the autoRevokeAllowed:true
    • Set mandatoryCommentRequirement:NO_DECISIONS
    • Set the searchCampaignInfo
      "searchCampaignInfo": { "query": "{{$.getLeaverIdentity.id}}", "reviewer": { "id": "Manager_ID", "type": "IDENTITY" }, "type": "IDENTITY" }
  4. Activate the certification campaign by using Activate Certification Campaign action.
  5. Auto complete the campaign
    • Set the variable and assign current Timestamp
    • Update the Campaign deadline to today’s date by assigning variable value using HTTP Request action
    • Update the campaign by setting autoCompleteAction: REVOKE

If no access items listed for an identity, then the certification campaign will auto complete before the Workflow activate it. So, you can handle the error using Error Handling in step 4.

I feel it is better than Before Provisioning Rule because,

  • Simple and can remove all accesses in one area (cert campaign). Provides you concise information in the campaign.
  • Gives overall control in a Workflow for access removal to all the target sources.
  • Avoids workflow loop which has array limitation (no more than 100 items or 512KB) when an identity has large no.of entitlements.
  • Gives flexibility to ignore the access items or sources from removal operations by using exclusion campaign filter.

You can also check this post for other approaches and the above is similar to option-1, Workflow to remove ALL leavers' standing access.